1

I'm building some REST API to be used in a native iOS/Android app. One of the endpoints allows the user to update his password by providing 2 fields: old_password and password.

Which HTTP status code should I in the situation where the old_password is incorrect?

My first thought was a 401 error but I already use it when the authentication token is invalid and it automatically triggers a logout in the app.

400 doesn't seem to fit because the request is actually semantically correct, it is a specific authentication error. Maybe 422?

gbalduzzi
  • 9,356
  • 28
  • 58

1 Answers1

5

One thing to keep in mind is that status codes, like response headers, are metadata; they are there so that generic components that know nothing about the details of your API can participate intelligently -- for example, by invalidating caches, or throwing up dialogs to collect authentication credentials.

400 doesn't seem to fit because the request is actually semantically correct

In practice, 400 is usually fine; clients are supposed to treat an unrecognized 4xx class status code as they would treat 400. Put another way, you can use 400 unless you specifically want to induce a different behavior by the generic components.

For your specific case, 409 Conflict is probably the closest match

The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict.

RFC 5789 suggests a distinction between 409 and 422 that may be interesting. Paraphrasing this distinction

422: This might include attempts to modify a resource in a way that would cause the resource to become invalid 409: the request cannot be applied given the state of the resource.

You can also make a reasonable argument that the entire 4xx class of response codes is inappropriate. For example, if the request method is POST, then the server is expected to

process the representation enclosed in the request according to the resource's own specific semantics

Which it did; successfully, even. It just didn't produce the most commonly expected successful result.

On the other hand, the JSON Patch would argue the other direction; your attempt to change the password would probably look something like

[
    { "op": "test", "path": "/password", "value": "old_password" },
    { "op": "replace", "path": "/password", "value": "new_password" }
]

If you provided the wrong password in the test, then that operation would be considered unsuccessful, which would in turn mean that the PATCH is unsuccessful. That in turn would invoke the arguments for error handling as described in HTTP Patch.

Community
  • 1
  • 1
VoiceOfUnreason
  • 52,766
  • 5
  • 49
  • 91