REST API 服务针对验证失败返回的适当 HTTP 状态代码是什么? [英] What's an appropriate HTTP status code to return by a REST API service for a validation failure?

问题描述

每当我在 Django/Piston 基于 REST API 应用程序.查看了 HTTP 状态代码注册表我不相信这是验证失败的合适代码，你们有什么推荐的吗?

I'm currently returning 401 Unauthorized whenever I encounter a validation failure in my Django/Piston based REST API application. Having had a look at the HTTP Status Code Registry I'm not convinced that this is an appropriate code for a validation failure, what do y'all recommend?

• 400 错误请求
• 401 未经授权
• 403 禁止
• 405 方法不允许
• 406 不可接受
• 412 前提条件失败
• 417 期望失败
• 422 无法处理的实体
• 424 依赖失败

更新:上面的验证失败"是指应用程序级别的数据验证失败，即错误指定的日期时间、虚假的电子邮件地址等.

Update: "Validation failure" above means an application level data validation failure, i.e., incorrectly specified datetime, bogus email address etc.

推荐答案

如果验证失败"意味着请求中有一些客户端错误，然后使用 HTTP 400 (Bad Request).例如，如果 URI 应该有一个 ISO-8601 日期，而您发现它的格式错误或指的是 2 月 31 日，那么您将返回一个 HTTP 400.如果您希望实体主体中的 XML 格式正确，同上它无法解析.

If "validation failure" means that there is some client error in the request, then use HTTP 400 (Bad Request). For instance if the URI is supposed to have an ISO-8601 date and you find that it's in the wrong format or refers to February 31st, then you would return an HTTP 400. Ditto if you expect well-formed XML in an entity body and it fails to parse.

(1/2016):在过去五年中WebDAV 更具体的 HTTP 422(不可处理实体)已成为 HTTP 400 的一个非常合理的替代品.例如，参见 JSON API.但请注意，HTTP 422没有成为 HTTP 1.1，RFC-7231.

(1/2016): Over the last five years WebDAV's more specific HTTP 422 (Unprocessable Entity) has become a very reasonable alternative to HTTP 400. See for instance its use in JSON API. But do note that HTTP 422 has not made it into HTTP 1.1, RFC-7231.

Richardson 和 Ruby 的 RESTful Web 服务 包含关于何时使用各种 HTTP 响应代码的非常有用的附录.他们说:

Richardson and Ruby's RESTful Web Services contains a very helpful appendix on when to use the various HTTP response codes. They say:

400(错误请求")
重要性:高.
这是通用的客户端错误状态，在没有其他 4xx 错误代码适用时使用.当客户端提交一个表示以及一个PUT 或 POST 请求，并且表示格式正确，但不任何意义.(第 381 页)

400 ("Bad Request")
Importance: High.
This is the generic client-side error status, used when no other 4xx error code is appropriate. It’s commonly used when the client submits a representation along with a PUT or POST request, and the representation is in the right format, but it doesn’t make any sense. (p. 381)

和:

401(未经授权")
重要性:高.
客户端尝试在未提供正确身份验证凭据的情况下对受保护资源进行操作.它可能提供了错误的凭据，或者根本没有提供.凭据可以是用户名和密码、API 密钥或身份验证令牌 - 无论有问题的服务期望什么.客户通常会制作对 URI 的请求并接受 401，以便它知道要发送的凭据类型以什么格式.[...]

401 ("Unauthorized")
Importance: High.
The client tried to operate on a protected resource without providing the proper authentication credentials. It may have provided the wrong credentials, or none at all. The credentials may be a username and password, an API key, or an authentication token—whatever the service in question is expecting. It’s common for a client to make a request for a URI and accept a 401 just so it knows what kind of credentials to send and in what format. [...]

这篇关于REST API 服务针对验证失败返回的适当 HTTP 状态代码是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！