Error Response: Use status code 404 for "resource not found"

Question

Error Response: Use status code 404 for "resource not found"

Closed this issue 8 years ago · 20 comments

The "error response" section currently states:

HTTP 400: not_found - The post with the requested URL was not found

Both RFC 1945 (HTTP/1.0) and RFC 2068 (HTTP/1.1) define status code 404 for the resource-not-found error case. Please use this.

Answer 1 · 2016-09-19T18:48:06.000Z

My concern with returning HTTP 404 is that it implies that the Micropub endpoint itself is not found.

Answer 2 · 2016-09-19T18:50:36.000Z

It will still return the JSON response, which should be enough for the clients to see that it's not a simple webserver-default-404-message.

Also, the micropub endpoint will most likely support configuration requests, which also do not 404.

Also, the 404 is only used when editing posts. Creating will work fine, which will make the client consider that the endpoint actually exists.

Answer 3 · 2016-09-19T18:51:33.000Z

Sounds to me like a 404 makes sense here

Answer 4 · 2016-09-19T19:23:53.000Z

Are there existing examples of similar (RPC-style rather than resource-based) APIs that have this behavior? If it's typical of these kinds of APIs then I'm happy to change it to match.

Answer 5 · 2016-09-19T20:29:12.000Z

W3C specifications should not be in contradiction with the IETF RFCs for http without very good reasons.

Answer 6 · 2016-09-19T20:31:00.000Z

@akuckartz that doesn't answer my question. "Resource not found" meaning the Micropub endpoint, or the object being referred to in the RPC request?

Answer 7 · 2016-09-19T20:34:10.000Z

@akuckartz RFC 2068 says about 404: "The server has not found anything matching the Request-URI." In the case of Micropub, the request URI is the Micropub endpoint itself, rather than the object being referred to in the request. This is why it seems inappropriate to use 404 as the response here. One might even go so far as to say RFC 2068 explicitly forbids using 404 as the response in this case.

Answer 8 · 2016-09-19T20:50:19.000Z

404 is the response to a request for a URI, not for any operation done as a result of a request to a URI

404 would make sense if micropub had been designed to work with PUT,DELETE,UPDATE verbs performed against the location of the post, but it was not.

400 continues, IMO, to be the least smelly of the options

Answer 9 · 2016-09-19T20:54:36.000Z

Right, because the URL is not part of the request uri but rather the request body – then I agree that 400 is the correct one

Answer 10 · 2016-09-22T05:23:53.000Z

I understand the reasoning to see micropub as a RPC-style API, and understand that in this case 404 would indicate that the RPC endpoint does not exist at all.

Looking at some common existing RPC-over-HTTP specifications (XML-RPC, SOAP and JSON-RPC) told me that neither of them makes use of different HTTP status codes (except in the case of underlying errors). They always use HTTP/1.x 200 OK as response status code and signal their error within the resonse body.

Answer 11 · 2016-09-22T12:47:18.000Z

Also, we should reference the most recent HTTP documentation on status codes:

Answer 12 · 2016-09-22T12:51:43.000Z

Also, 404 is cachable unless you add headers to explicitly not do that: https://tools.ietf.org/html/rfc7234#section-4.2.2

Answer 13 · 2016-09-22T15:29:50.000Z

After quite a bit of discussion during the f2f meeting, we came to the following conclusion:

drop "not_found" from the list of error codes because that case was already covered by "invalid_request"
add a sentence saying how to handle unexpected error codes
add a header to the bullet list of error codes to indicate this is the list of error strings defined by the spec

Answer 14 · 2016-09-22T15:33:44.000Z

@cweiske how's this? https://micropub.net/draft/#error-response

Answer 15 · 2016-09-22T16:40:36.000Z

I'd say all errors are covered by invalid_request. This is ridiculous.

Answer 16 · 2016-09-22T16:56:25.000Z

That's actually the idea basically. All errors other than permissions errors are "invalid request".

Answer 17 · 2016-09-22T17:35:00.000Z

I counted permission errors into "all". If you may not access a resource, then your request is invalid. If you don't have enough scope, your request is invalid.

So the only error code left is "YOU DID SOMETHING WRONG". The error code can be fully dropped now.

Answer 18 · 2016-09-23T08:12:46.000Z

There are actual user-facing reasons for returning a different error when there is a permissions error. Returning "forbidden" tells the client the access token is wrong and the user should log in again. Returning "invalid scope" tells the client the access token is fine but the user needs to re-authorize again to include additional scope, or the client can't do that operation.

Answer 19 · 2016-09-23T08:20:31.000Z

I don't want to continue discussing this issue.

Answer 20 · 2019-01-02T06:59:40.000Z

httpclient delete method showing like this can anybody help me ????
DELETE http://localhost:3000/customers/1 404 (Not Found)
ERROR HttpErrorResponse {headers: HttpHeaders, status: 404, statusText: "Not Found", url: "http://localhost:3000/customers/1", ok: false, …}