this post was submitted on 30 Aug 2024
130 points (99.2% liked)

Programming

17666 readers
215 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 2 years ago
MODERATORS
 

I prefer simplicity and using the first example but I'd be happy to hear other options. Here's a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)
HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}
HTTP/1.1 200 (๐Ÿคก) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}
HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 67 points 3 months ago (5 children)

Giving back a 200 for an error always makes me bristle. Return correct codes people. โ€œBut the request to the web server was successful!โ€

[โ€“] [email protected] 3 points 3 months ago

I don't necessarily disagree, but I have spent considerable time on this subject and can see merit in decoupling your own error signaling from the HTTP layer.

No matter how you design your API, if you're passing through additional layers, like load balancers and CDNs, you no longer have full control over all responses your clients receive. At this point it may be viable to always signal a successful backend connection with a 200, even if the process resulted in a failure.

Going further, your API may include partial success scenarios, think batch processing, then the result could be a mix of success and failure that doesn't translate to HTTP status.

You could even argue that there is really no reason to couple your API so tightly with a concept of the transport layer it uses.

[โ€“] [email protected] 2 points 3 months ago

You should consider if you really want to integrate your application super tightly with the HTTP protocol.

Will it always be used exclusively over a REST-ful HTTP API that you control, and it has exactly one hop to the client, or passes through hops that can be trusted to never alter the HTTP metadata significantly? In that case you can afford to make HTTP codes semantically relevant for your app.

But maybe you need to pass data through multiple different types of layers and different mechanisms (socket protocols, pub-sub, file storage etc.) In that case you want all your semantics to be independent from any form of transport.

[โ€“] [email protected] 4 points 3 months ago

I worked on a product that was only allowed to return 200 OK, no matter what.

Apparently some early and wealthy customer was too lazy to check error codes in the response, so we had to return 200 or else their site broke. Then we'd get emails from other customers complaining that our response codes were wrong.

[โ€“] [email protected] 1 points 3 months ago

It's usually such an easy thing to do as well, in all the web frameworks I've used it's literally a case of changing Ok to Forbidden, 200 to 403 or something very similar

[โ€“] [email protected] 16 points 3 months ago (1 children)

I use this big expensive simulator called Questa, and if there's an error during the simulation it prints Errors: 1, Warnings: 0 and then exits with EXIT_SUCCESS (0)! I tried to convince them that this is wrong but they're like "but it successfully simulated the error". ๐Ÿคฆ๐Ÿปโ€โ™‚๏ธ

We end up parsing the output which is very dumb but also seems to be industry standard in the silicon industry unfortunately (hardware people are not very good at software engineering).

[โ€“] [email protected] 11 points 3 months ago* (last edited 3 months ago) (1 children)

That's when you use different exit codes. 1 for failure during simulation, 2 for simulation failed.

Shame they wouldn't listen.

[โ€“] [email protected] 1 points 3 months ago

I generally agree, but with robocopy they went too far with this, because the status code doesn't work the way you expect, and you've got to script around it.