Unexpected HTTP 4XX in case of server issue #18
Comments
|
Dear Andrii, thanks for notifying us about a potential anomaly or a way to improve on the response code side. We are aware that there's room for improvements all over the place. May we humbly ask about a minimal example how to reproduce the specific case you are mentioning? As As you are mentioning the search back-end, I figure you might be talking about the data source API entrypoints like If this is true, can you point out the specific data source API where things might go wrong or can be improved? Thanks already and with kind regards, |
|
Hello, When access token is missed in config OPS request return HTTP401 and then patzilla return HTTP 400. But it is definitely server issue and it should be HTTP 5XX |
|
Dear Andrii, thanks for getting back on this and reporting about the context of the request you have been referring to. TLDR;If this request is failing due to an authorization issue, we should probably forward the 401 Unauthorized response status to the user then, right? This might give the client a clue about what's actually going on - otherwise, it won't be able to tell anything about the real reason the request is failing. ThoughtsI believe this detail can be argued about as - while the request definitively is issued by the server - it might not be a server error per se. So, either we might think about sending 502 Bad Gateway downstream or we just keep the 401 Unauthorized response status in order to signal this to the user appropriately. Please recognize that OPS credentials might also come from the users' personal settings so this request can fail independently of the server-configured OPS credentials. RationaleI believe it can well be argued that the server is making the request on behalf of the user, essentially boiling down to be acting as a proxy in this very context. So, it might actually be valid to forward the response code 1:1 when looking at this from another perspective. So, what do you think about just forwarding 401 Unauthorized verbatim without amending the response status at all? With kind regards, |
Yes, I missed this. It makes the case not so obvious and I don't have single answer anymore. Because there is user authentication itself at Patzilla, answer with HTTP401 it case of OPS credentials issue can obscure, because request already has right authentication. RFC 7231 say that :
So, in case of user-configured OPS I think that HTTP400 looks suitable (or 403 maybe) But for server-side credentials it is definitely HTTP500 (anyway 5xx) |
|
Dear Andrii,
I see you your point. Let's make the case here to be able to differentiate the response in order to kick the user to a login screen based on the outcome of the HTTP status like "401 => login screen"?
I believe your arguments are valid but nevertheless I'm hesitant to implement different response status for signalling essentially the same thing under different conditions. That would increase the mental load on each API consumer - human or machine. Thanks for bringing up 403 Forbidden.
As these arguments resonate well with me, I'd vote for passing 403 Forbidden to the client in all cases where the user might have been authenticated to PatZilla but does not have the appropriate permissions to access any upstream resources where PatZilla is an intermediary to, API-wise. What to you think? With kind regards, |
Yes, 401 means like "login and try again"
I think that 403 is a good choice here :) |
Hello,
Page: /navigator/
IMHO It is better to have HTTP 5XX answer to frontend (for example 500) if search back-end answered with HTTP 401.
Now: back-end answers with HTTP 404/400. But client request can be fully valid, it is just issue with server config for example.
The text was updated successfully, but these errors were encountered: