Readit News logoReadit News
that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
that_james · 3 years ago
Posting another comment rather than updating my last one: Thanks to all for the feedback.

After knocking it around in my head, I concede I am wrong :) HTTP is, after all, an Application layer protocol.

Whilst I remain unconvinced by some of the arguments, that one that got through to me was mostly about the reasoning behind using an application layer protocol in the first place: standards. And this breaks the crap out of those standards.

The correct answer is probably closer to a combination of status codes and a _clear_ response message (as well as the correct Content-Type header!)

An empty 404 is ambiguous, which is surprising to nobody :) fair points all round

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
light_hue_1 · 3 years ago
This is like saying that if /web/index.html exists we shouldn't return 404 when /web/junk.html does not exist. That's clearly nonsense and not how http was designed to work.
that_james · 3 years ago
That was what I meant by "actual web servers" :D poorly described though, fair enough.

I should have been clearer about this relating to HTTP RPC. I updated the post.

That said, after reading the responses here, I can see that what I've actually achieved is making the response harder to determine for the client, which is antithetical to the objective.

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
mesozoic · 3 years ago
Have they never heard of codes other than 2xx and 4xx?
that_james · 3 years ago
I even put 500 in the post :)

I was hoping to start a discussion around using HTTP status codes as domain error codes, as opposed to an opinionated payload.

Maybe not as clear as I could have made it.

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
dncornholio · 3 years ago
Author thinks only a 200 response can contain a body or something
that_james · 3 years ago
That's not the takeway I was after, I was pretty certain I had clearly described my intention of debating the usage of HTTP status codes as domain error messages.

Not really sure why you think I'm of the opinion only 2xx codes can have responses, perhaps I could have been clearer.

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
HatchedLake721 · 3 years ago
If you’re a public API, please don’t do this.

I’ve personally integrated with almost 50 different SaaS APIs in the last 2 years.

The worst ones to work with were the ones returning errors in 200.

I don’t want to parse and write switch statements for your strings to understand whether it’s authentication, authorization, not found or any other error.

Now I have logic tied to strings you return and I can’t wait until someone decides to change the error messages they return. People rarely assume there’s an API contract in error messages.

that_james · 3 years ago
> People rarely assume there’s an API contract in error messages

But then what's the point of an API contract if it's not describing the returned data? What I'm arguing is the opinionated payload provides a lot of the same value. Or am I missing something?

The monitoring systems would naturally not be stoked to see 2xx codes containing errors, but I'd just ping the monitoring system out of my application server anyways. Not sure if that's better or worse though.

I've done like little to no platform engineering and I may be gravely underestimating the consequences of doing this, but it works well with prometheus.

Perhaps I am a fool though :) but how else would I find out if I didn't put my ideas out there :D

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
inanutshellus · 3 years ago
This is a bit weird to me.

Your article is entitled "I've been abusing HTTP status codes" ... but... you're not "abusing" them, you're "not using" them for your APIs. (Or, said another way, you're leaving them to their normal usage for HTTP servers.)

Thus -- as REST is /the/ canonical "hijack HTTP status codes to mean something clever" paradigm -- your article is /entirely/ in context of REST even if you avoided mentioning it.

...

Anyway - I'm entirely with you on the foolishness of using 404 to mean both "your URL is messed up" and "I couldn't find the resource you wanted".

that_james · 3 years ago
> Thus -- as REST is /the/ canonical "hijack HTTP status codes to mean something clever" paradigm -- your article is /entirely/ in context of REST.

Oof, that's a hell of a good point. So much for that plan lol

> Anyway - I'm entirely with you on the foolishness of using 404 to mean both "your URL is messed up" and "I couldn't find the resource you wanted". Seems like, for REST, you'd want to return a 400 (malformed request) or something if your URL was borked rather than overloading 404.

Yup, that's the headache I'm trying to muddle my way through.

Really it's less "this is how to build APIs" and more "have you considered your consumer when you return data?". But I think even in that context your point stands better.

Back to the drawing board it seems.

At least I can generate more content now :D

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
that_james · 3 years ago
Y'all have given me a lot to chew on.

I would like to point out a few of the detractors are conflating REST and HTTP RPC, I avoided using the term REST for a reason :)

BUT, that being said, lots of good arguments against this stance. I appreciate the feedback :)

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
NoGravitas · 3 years ago
Nah, this guy is wrong. The reason that he's wrong is that URLs represent resources, such as, in his example API, employee data. If you submit a request for a resource that doesn't exist, then 404 is the correct response. His problem is in thinking that HTTP is just a transport layer for arbitrary applications to use for whatever they want. It's not; it's a framework for particular types of applications, using REST and HATEOAS. He's trying to write some kind of RPC application using REST syntax, but ignoring REST semantics.
that_james · 3 years ago
REST is not HTTP! I didn't mention REST for a reason :)

But that's a good point about the transport layer.

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
imdsm · 3 years ago
I disagree that returning a 404 for `/api/v1/employees/100` is wrong. If `/api/v1/employees/100` is the resource that is being requested, yet the record doesn't exist, then the resource doesn't exist. Much like `/some_photo.jpg` not existing would return 404 if missing too.

What if we changed `/some_photo.jpg` to `/photo?id=some_photo` and it didn't exist? 404? Okay, now what if we change `/photo?id=some_photo` to `/photo?id=100`? What if then change that to `/photo/100`? At which point does it no longer become okay for the request to be tied to the resource?

`/api/v11/employees/1` may be 404, and `/api/v1/employees/100` maybe 404 too, because neither of them are found. If anything, the problem is that HTTP status codes are limited and haven't really kept up with technology. We have a few additional codes, like with Cloudflare, but for the most part, there is no community project or standard for expanding HTTP Status Codes.

Perhaps there should be.

that_james · 3 years ago
For me it boils down to this:

If you ask for an employee that doesn't exist, is it a failure? Or is it just a negative, but expected response?

Perhaps that's a stupid question though.

that_james commented on I've been abusing HTTP Status Codes in my APIs for years   blog.slimjim.xyz/posts/st... · Posted by u/that_james
treis · 3 years ago
No, paths that reach a server and get processed exist.
that_james · 3 years ago
That's a succinct definition, happy to admit that's a better argument than mine
t

u/that_james

KarmaCake day121July 13, 2022View Original