REST my ass 💩

    
{ "ok": false }

{ "ok": false }
My Chemical Romance
- wouldn't that be more like
  
  new Promise(() =>{ return { "ok": false }; })
{ "ok": "false" }
- { "ok": "no" }
- { "false": "ok" }
{ "OK": "Ah ah ah, you didn't say the magic word." }

error = true with no description or answer is basically ten years of searching stackoverflow and reddit threads for an answer.

Or a link to a thread on microsoft answers that 404s
- that's the worst due to how microsoft answers redirects work making it impossible to go back to the previous page.

Please, please, please, PLEASE return error-codes and problem-details.

Here's the RFC: https://www.rfc-editor.org/rfc/rfc9457.html

- Nightmares.
This looks so over-engineered. Most of the time you only need an error message. Make the message clear enough so that it can be shown to the end user.
- Why even use HTTP, when you can just send bytes directly over the physical network card, right?
  Because standards make it better for everyone. You've no idea when, who or in what context the error will happen or be received by.
  It takes so little to return ProblemDetails, and improves the experience of devs using your API so much. Just do it. Stop thinking up edge cases and faffing about with excuses. Do it.

Aaagh! Getting some random old person flashbacks.

Kids. I r-remember a day... You won't believe this... I got a 404 error page... It was otherwise a normal 404 page with a normal message on it, but it had a giant ad on it... like "while you're here, how about you buy this stuff"... It was hell... You've got no idea how lucky you kids are with uBlock...

I was going to say that sounds like situation normal by the 2020s… Until you said uBlock.

Fun story close to a decade ago we were attempting to upgrade our batch scheduler called Tidal to version 6x which had a RESTful API.

One of the reasons we dropped the product was because we were getting 200 status codes meanwhile the output was a java dump of an error message.

They were adamant that this was an us problem, no matter how much I tried to explain to them with numerous links explaining to them that if something has a 200 status code that should mean things worked.

They argued that the 200 meant we were hitting the API fine. We would have to write code to read the return for if it was a error or not. I still don't think they understood how stupid they were, even all these years later.

I have had that argument repeatedly with people. People insisting that HTTP error codes are "transport layer" and it's "wrong" for an API to hijack them to report "application level issues".
No, the whole point of "REST" was to map application semantics to HTTP in a way that actually normalizes some things like error handling and expectations around whether an operation could be expected to be idempotent and make the namespace navigable.
At one point my work announced a person who was an external hire to be the 'API genius' to set my company straight. He came from a super reputable well known company so of course he just the smart guy to fix our technical mess. He had sent a message saying that he had reviewed the teams API and concluded they were not restful. I had a glimmer of optimism, that someone recognized as authoritative would call the RPC style HTTP usage that always returned 200 and steer toward sanity, or at least honesty. No, his feedback was that was all fine, but REST does not use JSON, REST uses Protobuf, so they need to change to Protobuf to claim to be REST. Of all the what the hell I could have predicted, that one was not in my book...
- A real "API Genius" would be complaining that your API doesn't include HATEOAS, even though I've never once seen an API be used in that way, and few of the big tech APIs actually use it even though they call their APIs RESTful.
- To further your point and remembering my asinine discussions with the vendor.
  Fine. I accept what they said. Then the return code should be a 5xx code not a 200.
  I genuinely wonder if they addressed their fuckups.
  Side note their updated desktop client (because of course new version didn't have one so they had to write one fast) was a java client that needed 16gb of ram to run marginally well lol
- The quote "brimming over with wrongability" comes to mind.
- The number of people talking about REST without having read the wikipedia page is astonishing. Roy Fielding’s dissertation on the subject might be of interest, but that’s from 2000 and absolutely not webscale.
  (Edit: /s if that wasn’t immediately obvious)

Yep, I’ve got one of these at work now. Technically, 200 can make sense here if you’re using HTTP as RPC transport, as the server relayed the request to its handler and returned the outcome, but damn if it’s not annoying to actually process the response.

I’ve also seen a lot of devs tie themselves into knots trying to map various execution types to the “semantically correct” HTTP code, but the thing is the abstraction of HTTP is not based around RPC and it’s ultimately a pretty weird fit that we’ve somehow come to view as normal.

Then just return a 500 - Server error. Nice and obscure.
The ability to separate "something wrong with what you sent" (4XX) and "something wrong on the server" (5XX) is very valuable in itself.
- Yep
  2xx - it's good
  3xx - not here cunt
  4xx - you don fucked up
  5xx - we fucked up, whatever you do aint changing shit.
- Respond to everything as a teapot

It’s not us, it’s you

It's us: 5xx
It's you: 4xx

JSON API almost always means “not REST”. In other words, it works as intended.

I don't wanna be pedantic but most things we call REST aren't REST. The original definition of REST is what we typically call HATEOAS. So when you say JAON API almost always means not REST you need to qualify that.
how would you return metadata or more detailed error codes?
- However you like, REST doesn’t dictate anything there. Just be consistent and use hypermedia.
  JSON APIs almost never follow REST because they almost never use JSON as hypertext. Worse, no complete stable hypertext JSON standard exists. There’s JSON-HAL, but it lacks a way to represent resource templates (think HTML’s <form>).
  Therefore, with JSON APIs ignoring one of the most basic idea behind REST, why would anyone expect them to follow another idea of REST - consistency?
  REST is a deceptively simple concept. Any time you build an HTML website a human can navigate without consulting documentation, you’re doing it better than vast majority of swagger documented corporate APIs.
- returning a 400 never prevented me from adding more info to the response
- The argument probably goes something like " if you adhere strictly to REST the error codes are all you need" and then metadata can be sent in response headers.

Been having similar case with dev teams who have coded every error to be 500. User typed the wrong URL? 500. User tried to access a page without logging in? 500... Makes detecting real errors a pain

And on the other side of this are JS devs that check for neither error response codes or error messages, and write an error into their own data as if it's the result they were after.
Always fun to see GET /orders/{error : "invalid branchID provided"} in your logs.
I'd easily take that over '200 for everything'. If at least errors are distinct from success, I'd take that as a win. My standards have been lowered by so many '200 for everything' backends..
Makes all issues their problem. Clearly it's not a 4xx error so not something the client did wrong.
I would argue that in your application, a wrong URL is a sever error. That error being improper handling of a client error.
I'm not a web dev, but had a similar problem with a niche compiler I used to develop.
We were pretty good at validating invariants at the mid and back-end. This meant that most user errors got reported as internal errors. Generally, these errors were good enough that users were able to get used to reading them and fix their code.
It was next to impossible to actually get users to file bugs about this. Our internal error messages started with a banner that read "THIS IS A BUG IN
<compiler name>
. PLEASE REPORT TO
<support email address>
". Despite that, whenever we actually got a bug report, it would inevitably start with "I'm pretty sure this isn't actually a bug in the compiler, but I can't figure out what I am doing wrong in my code".
- I would argue that in your application, a wrong URL is a sever error. That error being improper handling of a client error.
  That's certainly an unusual take. If you are a backend to HTTP and something throws a completely bogus URL out of left field at you, that's not by any means a backend error.
  I guess your take is that it might be some sort of usability issue or such because if 95% of clients try to hit the same non-existant URL, that probably means there's some reasonable expectation that you should do something about the URL. However that's relatively more rare a sort of 'invalid URL' scenario. The vast vast majority are some sort of scanners trying bogus crap, followed by an impossibly diverse set of typos and peculiar one-off assumptions that you can't possibly reasonably cover.

Congratulations! You failed.

no worries! a small failure is the first step on the way to a really really big failure.

Another favorite is when the API barfs a stacktrace instead of valid JSON.

GraphQL makes this same mistake

That’s true, but for a good reason. GraphQL is transport agnostic, so using HTTP status to represent errors doesn’t make sense. HTTP is just a carrier for GraphQL, and the status code represents whether or not the HTTP part was successful.
- If only that were true. They are intimately connected and to pretend otherwise is laughable to me
- Well no, the HTTP error codes are about the entire request, not just whether or not the actual header part was received and processed right.
  Like HTTP 403, HTTP only has a basic form of authentication built in, anything else needs the server to handle it externally (e.g. via session cookies). It wouldn't make sense to send "HTTP 200" in response to trying to access a resource without being logged in just because the request was well formed.
Absolutely true, but Graph-QL has never pretended to be REST.

Every time I see someone recommend this at work I die a little inside. Like… C’mon!

I'd rather see this than actual rest or the more popular use the bits of rest that are convenient.

you'd rather have no responses following a standard rather than only some doing that? No, thanks.
- Yes I'd rather have a self defined standard that accurately covers the scope of an application and it's use cases than stretch an old standard design for basic hierarchical text docs to work for a modern application.
Right? REST is the transport, if you bend it to convey general/application errors it's probably going to get bent out of shape eventually in a way that's hard to clean up
- The people that decide which rules are important or not when designing a "REST" api are generally insufferable as well.

Marketo my ~~beloved~~ the bane of my existence. Actually without a doubt the worst API I've ever worked with in my career. The response schemas are random and a 200 means nothing because it might also include a "success": "false"". Our backend API is Python and we have strict typing rule but Marketo really makes that difficult

Oh no... this brings back memories LOL