400 or 403 response code for POST Restful API
I am developing a POST Restful API where I have a situation where I have to authorize a user based on one of the items provided in the request body. For example,
{
division : "1",
name : "MyName",
address:{
no : 123,
street : "abc",
pincode : 222111
}
....
}
Thus, the user making the POST request must have the right to work with department 1. I cannot resolve the user without getting the request body.
Also, to check some of the attributes I have to execute in DB, you have to make heavy DB calls, for example, to check that the above address has a valid pincode value.
So my question is, how do I return error codes to the user -
- [EDIT] If the division is invalid (something that doesn't exist in the system) in the query - 400 or 403?
- If division is provided but user is not logged in and pincode is invalid - 400 for invalid pincode or 403?
- What should be the error code if pincode is a required attribute and is not specified in the request. Should I check 403 first and then 400 or vice versa?
Basically what error code should the other execute?
You can also do something like:
400 – request is bad, syntactically (division/pincode or other mandatory values not provided)
403 – authorize user
400 – request is bad, data specific validation (heavier operation, requiring to hit DB)
[EDIT] we chose not to use error code 422
source to share
When in doubt, just take a look at the RFC
400 Bad Request
The request could not be understood by the server due to incorrect syntax. The client MUST NOT repeat the request without modification.
403 Forbidden
The server understood the request, but refuses to fulfill it. Authorization will not help and the request MUST NOT be repeated. If the request method was not HEAD, and the server wants to make public why the request was not completed, then the legal entity SHOULD describe the reason for the denial. If the server does not want this information available to the client, the status code is 404 (Not Found).
If the division is not specified in the request - 400 or 403?
I don't think this is applicable. The syntax - although it lacks data - is not . Also 403 seems to be wrong due to the reasons mentioned above in the quote: authorization won't help, etc.
How about a 422 Non-Process Organization ?
422 Non-Process Organization (WebDAV; RFC 4918)
The request was well formed, but there were no semantic errors.
This is what I usually use in situations like this.
If division is provided but user is not logged in and pincode is invalid - 400 for invalid pincode or 403?
Again, I don't think there is 400 or 403 here. In particular, there is a 401 for this situation.
401 Unauthorized
Similar to 403 Forbidden, but specifically required for use in authentication and failed or not yet provided . The response MUST include a WWW-Authenticate header field containing the challenge to the requested resource. See the Basic Authentication section and Digest Access Authentication.
source to share
I think you are on the right track. Assuming every request is authenticated via (http authorization header)
-
Returning 400, on missing data is OK, and in addition, you can add an error response body explaining what the reason for the client request was denied (in this case, there is no division).
-
Returning 403, this is fine if the client making the request is not allowed to interact with the resource (in this case it is a split).
-
You must first confirm if the client is allowed to interact with the resource, so a 403 must be sent first, and if the required field is missing, you can treat it as 400 (with a proper explanation).
If the client is not authenticated, the correct answer should be 401, but as I said 1) and 2), my answer assumes clients are authenticated against the server.
Hope it helps,
Jose Luis
source to share