this post was submitted on 14 Sep 2025
817 points (99.4% liked)

Programmer Humor

26373 readers
2377 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
817
REST my ass đź’© (eviltoast.org)
submitted 3 days ago by orhtej2@eviltoast.org to c/programmer_humor@programming.dev
106 comments fedilink hide all child comments
 
(page 2) 50 comments
sorted by: hot top controversial new old
[–] WhiteRice@lemmy.ml 24 points 3 days ago (1 children)

It’s not us, it’s you

load more comments (1 replies)
[–] Slotos@feddit.nl 18 points 3 days ago (2 children)

JSON API almost always means “not REST”. In other words, it works as intended.

[–] JackbyDev@programming.dev 7 points 3 days ago

I don't wanna be pedantic but most things we call REST aren't REST. The original definition of REST is what we typically call HATEOAS. So when you say JAON API almost always means not REST you need to qualify that.

[–] Aatube@kbin.melroy.org 6 points 3 days ago (11 children)

how would you return metadata or more detailed error codes?

[–] Slotos@feddit.nl 5 points 3 days ago (1 children)

However you like, REST doesn’t dictate anything there. Just be consistent and use hypermedia.

JSON APIs almost never follow REST because they almost never use JSON as hypertext. Worse, no complete stable hypertext JSON standard exists. There’s JSON-HAL, but it lacks a way to represent resource templates (think HTML’s <form>).

Therefore, with JSON APIs ignoring one of the most basic idea behind REST, why would anyone expect them to follow another idea of REST - consistency?

REST is a deceptively simple concept. Any time you build an HTML website a human can navigate without consulting documentation, you’re doing it better than vast majority of swagger documented corporate APIs.

load more comments (1 replies)
[–] eager_eagle@lemmy.world 5 points 3 days ago

returning a 400 never prevented me from adding more info to the response

load more comments (9 replies)
[–] Cruel@programming.dev 15 points 3 days ago (1 children)

Congratulations! You failed.

load more comments (1 replies)
[–] Olap@lemmy.world 7 points 3 days ago (2 children)

GraphQL makes this same mistake

[–] porkloin@lemmy.world 5 points 3 days ago (3 children)

That’s true, but for a good reason. GraphQL is transport agnostic, so using HTTP status to represent errors doesn’t make sense. HTTP is just a carrier for GraphQL, and the status code represents whether or not the HTTP part was successful.

[–] The_Decryptor@aussie.zone 2 points 2 days ago (1 children)

Well no, the HTTP error codes are about the entire request, not just whether or not the actual header part was received and processed right.

Like HTTP 403, HTTP only has a basic form of authentication built in, anything else needs the server to handle it externally (e.g. via session cookies). It wouldn't make sense to send "HTTP 200" in response to trying to access a resource without being logged in just because the request was well formed.

[–] porkloin@lemmy.world 2 points 2 days ago* (last edited 2 days ago) (5 children)

Many GraphQL and gRPC APIs do exactly that and return HTTP 200 even if the request didn’t auth.

Just because you are heavily biased toward using HTTP status for application layer errors doesn’t make it right. It is so wildly common that people can’t imagine it working another way, and I get that.

But it’s not “wrong” to do application layer auth status codes and apply no transport layer auth status codes It’s just a different paradigm than most devs are used to.

[–] jj4211@lemmy.world 1 points 2 days ago

Think the point would be that it's super easy to also set a 'non-ok' status in HTTP. Sure it may be insufficient for sophisticated handling, but at least you can get a vague sense of 'something went wrong'..

Sure have your more specific API specific error code and your error details in the body, but at least toss a generic '500' into the status code. I often find myself writing client software where I don't need specific handling I just need to know 'it failed', and it's obnoxious to deal with these interfaces where I have to sweat multiple potential ways for it to report failures when I just don't care about the specifics. Sometimes an API doesn't even have a consistent place that it sticks it's return code, some don't even define a reasonable way to know 'failure' and require you to explicitly map a huge number of 'info' to ascertain if it's normal or error type state.

load more comments (4 replies)
[–] Olap@lemmy.world 6 points 3 days ago (1 children)

If only that were true. They are intimately connected and to pretend otherwise is laughable to me

[–] porkloin@lemmy.world 7 points 3 days ago (2 children)

What do you mean? You can literally run GraphQL without HTTP. This isn’t just a GraphQL-ism, gRPC also does it https://grpc.io/docs/guides/status-codes/

I understand that most people use GraphQL over HTTP and that from a developer perspective you’d rather have HTTP status codes like every other REST API. To which I’d say, why don’t you just use REST instead?

There are a bunch of legitimate reasons why a clean separation of transport layer and application layer makes sense - you just aren’t using them so it feels like an arbitrary frustration to you.

Have you ever run an application like a golang REST API behind an envoy or nginx proxy or load balancer and gotten an HTTP status 500 back and wrongly assumed it was coming from your application/golang code, only to later find it was a problem at the proxy or load balancer? If so, you’ve experienced the misdirection of combining transport and application layer being forced to share a status field. This isn’t a trivial example - time is wasted every day by developers misdiagnosing errors originating from transport as application errors, and vice versa.

You might not like it, but separating them IS smart design.

[–] jj4211@lemmy.world 1 points 2 days ago

misdiagnosing errors originating from transport as application errors, and vice versa.

Shouldn't the response body disambiguaite clearly whose fault it is? I mean you have to anyway if you advocate for '200 for everything'. You still have that same response body whether the HTTP status code is 200 or 500.

We honor the status code while providing an error body and it's always blatantly obvious whether it's an infrastructure issue or "true backend" issue when we see an issue. In my team I can't recall anyone ever getting confused for even a little bit about whether an observed anomaly was web infrastructure or the backend, despite us setting HTTP status codes to error when, you know, we see an error.

[–] Olap@lemmy.world 2 points 3 days ago

Logs, logs, logs, you'll pour over logs anyway. Hands up anyone who has run GraphQL over anything but http? Won't be many. And then another show of hands please: who's written a basic request using http tooling instead? Bet there's tons!

They threw away loads of tooling for the sake of vanity imo

load more comments (1 replies)
[–] PastelKeystone@lemmy.world 7 points 3 days ago

Another favorite is when the API barfs a stacktrace instead of valid JSON.

[–] Subscript5676@lemmy.ca 6 points 3 days ago

Every time I see someone recommend this at work I die a little inside. Like… C’mon!

[–] NotSteve_@piefed.ca 6 points 3 days ago* (last edited 3 days ago)

Marketo my ~~beloved~~ the bane of my existence. Actually without a doubt the worst API I've ever worked with in my career. The response schemas are random and a 200 means nothing because it might also include a "success": "false"". Our backend API is Python and we have strict typing rule but Marketo really makes that difficult

[–] floo@retrolemmy.com 5 points 3 days ago

Either way, the webpage didn’t load. And fuck literally everyone involved for not explaining to me what I need to do to fix it.

load more comments
view more: ‹ prev next ›