Like HTTP 403, HTTP only has a basic form of authentication built in, anything else needs the server to handle it externally (e.g. via session cookies). It wouldn't make sense to send "HTTP 200" in response to trying to access a resource without being logged in just because the request was well formed.

[–] porkloin@lemmy.world 2 points 16 hours ago* (last edited 16 hours ago) (2 children)

Many GraphQL and gRPC APIs do exactly that and return HTTP 200 even if the request didn’t auth.

Just because you are heavily biased toward using HTTP status for application layer errors doesn’t make it right. It is so wildly common that people can’t imagine it working another way, and I get that.

But it’s not “wrong” to do application layer auth status codes and apply no transport layer auth status codes It’s just a different paradigm than most devs are used to.

[–] jj4211@lemmy.world 1 points 6 hours ago

Think the point would be that it's super easy to also set a 'non-ok' status in HTTP. Sure it may be insufficient for sophisticated handling, but at least you can get a vague sense of 'something went wrong'..

Sure have your more specific API specific error code and your error details in the body, but at least toss a generic '500' into the status code. I often find myself writing client software where I don't need specific handling I just need to know 'it failed', and it's obnoxious to deal with these interfaces where I have to sweat multiple potential ways for it to report failures when I just don't care about the specifics. Sometimes an API doesn't even have a consistent place that it sticks it's return code, some don't even define a reasonable way to know 'failure' and require you to explicitly map a huge number of 'info' to ascertain if it's normal or error type state.

[–] The_Decryptor@aussie.zone 3 points 12 hours ago (1 children)

Ehh, that really feel like "But other people do it wrong too" to me, half the 4xx error codes are application layer errors for example (404 ain't a transport layer error, neither is 403, 415, 422 or 451)

It also complicates actually processing the request as you've got to duplicate error handling between "request failed" and "request succeeded but actually failed". My local cinema actually hits that error where their web frontend expects the backend to return errors, but the backend lies and says everything was successful, and then certain things break in the UI.

[–] luciferofastora@feddit.org 1 points 4 hours ago

frontend expects the backend to return errors, but the backend lies and says everything was successful, and then certain things break in the UI

That's a double failure then: not only does the backend do it wrong, the frontend devs don't even know it. If they'd agreed on one way of handling it, they'd still be able to work it out. But if the devs don't even communicate their standards with each other and the frontend devs obviously don't know about the problem...