Correct response code for an invalid POST request

Question

I just noticed something that is probably not correct in my application. I have, at many points, post forms that require certain input parameters in order to proceed with the insertion of the data. For example in order to add a user to you contacts list, first the user has to exist, and I do this quite simply

$db = \Database::connection();
$user = new \Models\User();
$user->getById($data['id'], $db);

if ($user->id) {
    if (\Models\User::auth()->addContact($user, $db)) {
        return \Response::json(['text' => 'Contact added']);
    } else {
        throw new \Exception('User not found', 404);
    }
}

Ignoring all other possibilities for errors and just focusing on the user not found one, I just noticed that I am returning a 404 code, which I am having my doubts about. At the time I was writing this code I have most certainly been provoked by the not found part in the message and automatically assumed that it is a 404 error. However now when I think about it a 404 error is actually "Resource not found", how can a resource be not found when I'm not asking for a resource, is my logic.

Is it correct to return a 404 error to a POST request or I should switch to 400?

score 1 · Accepted Answer · answered Feb 18 '15 at 09:40

1

The resource being updated is a users contact list - something like User/[userid]/ContactList ? This resource is being identified correctly but the User being added to the contact list is invalid.

In the http rfc 404 is "The server has not found anything matching the Request-URI..." I would find it surprising behavior to get this error on the basis that the resource to be updated has been found. If you were to return a 404 then it should include a message body indicating exactly which resource wasn't found.

A 400 means "the request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications". I'd argue that the syntax is correct, so a 500 (internal server error) coupled with an explanation in the response body is more appropriate.

answered Feb 18 '15 at 09:40

justAnotherUser

181
1
6

"The client SHOULD NOT repeat the request without modifications" I think that this exactly matches the situation, the request should not be repeated with the same id since it is invalid, thus modifications should be made in the request body. Furthermore I remember reading somewhere that recently ( can't really tell how recent ) the error 400 description had been changed in order to fit into such cases as mine. Aren't these arguments valid? EDIT: found something http://stackoverflow.com/a/10849290/2415293 – php_nub_qq Feb 18 '15 at 10:03
Not quite - in this case if the client were to send a new request which creates the missing User resource, and then resends the unmodified original request it would work. – justAnotherUser Feb 18 '15 at 11:32
Well that is true but is highly unlikely to happen. Also the newer description of code 400 states that the request may be valid but the server refuses to process it. I think error 500 should be used on actual server errors ( script errors and such ) instead of invalid user input. Even if I'm wrong I comfort myself that there are websites which use POST to get data and GET to post, so at least I got that going for me.. :D – php_nub_qq Feb 18 '15 at 15:34

Correct response code for an invalid POST request

1 Answers1