Overview
This post is an update to one I made in 2018 which complained about the clumsy way REST style web services use status codes to
report success or failure for various types of requests. The key point I'm going to make is that the convention of using status codes
like 201 (Created), 204 (NoContent), 400 (BadRequest), etc, is inappropriate for expressing the results from a typical business service.
The list of HTTP Status Codes contains a bewlidering set of values that are mostly related to networking, or web server internals or other esoteric conditions. There is no sensible mapping of these status codes to typical business processing results. You could argue that a 400 (BadRequest) might indicate a bad parameter in a request, but the definition of 400 is far broader than that. If you get a 404 (NotFound), then exactly what is "not found"? Is it some file or database row, or the whole uri? Many other status codes are event trickier to assign some sort of business meaning.
The worst thing about the zoo of possible response codes is that the client has the burden of switching code paths to handle them all, and hoping they haven't missed any. Polite service authors will publish OpenAPI to document all their responses, but it can be time-consuming to safely turn large amounts of documentation into code (although there are various tools that convert OpenAPI into client-side code).
Only 200 (OK)
I eventually got fed-up with thinking about status codes and decided to return only 200 (OK) from my services. This indicates that the request succeeded without any kind of external problem. It does not indicate if the request succeeded in the business logic sense, as some extra standard information in the response body provides that information (explained shortly).
Any response code other than 200 indicates something went seriously wrong unrelated to the service logic, probably a network or web server failure. In this case the client app would probably show a pink screen or similar to indicate a serious problem.
If your service only returns 200, then how do you indicate if the business logic of the request succeeded or not?
I think the simplest way of returning business processing result information is to have some standard properties present in every response. Here is part of a typical error response from one of my services:
{
"code": 2,
"title": "Customer create failed",
"detail": "Customer with key '806000123' name 'Contoso Pty Ltd' already exists.",
// See below for more details of what could be here...
"data": null // Success data would go here
}
Exactly what standard properties to place in the response is your choice, and there are many articles that argue around this matter. In recent years there have been attempts to standardise error reporting properties, such as RFC 7807. The full RFC error response recommendations may be overkill for most business scenarios, but it's worth considering following some of the naming conventions.
Coding Details
What follows is specific to the C# language, but it can easily be applied to any other modern language.
There are two ways to return standard response properties. Firstly, define a base class with the properties and derive all responses from the base class. This does cause the standard properties to merge into the response properties at the root level, which might look a bit confusing. Secondly (my preference), is to have a generic response class like this:
public class ResponseWrap<T>
{
public ResponseWrap(T data)
{
Data = data;
}
public ResponseWrap(int code, string? title, string? detail = null)
{
Code = code;
Title = title;
Detail = detail;
}
public string? Title { get; set; }
public string? Detail { get; set; }
public bool HasError => Code != null;
public int? Code { get; set; }
public T Data { get; set; }
}
Note how the standard properties are at root level, and so is a Data generic property which is expected to contain any data that is in a success response. This results in a simply shaped JSON document common to all service responses. Clients can inspect the HasError property to determine if the business logic of the requests suceeded or not. The exact code is flexible and can be adjusted according to coding preferences, but the important fact is that there are some root standard properties and one of them indicates success or failure. In case of success, the Data property will contain the return data and the other root properties will be null, and in case of failure the reverse is true.
Returning values from service methods will be easier as there is no need to construct different response status codes and types. The pair of constructors of the response class simplify service code to look like this:
if (cust == null)
return new ResponseWrap<Customer?>(2, $"Customer {id} not found", null);
else
return new ResponseWrap<Customer?>(cust)
.NET Web API Global Errors
Unhandled errors in a .NET Web API controller will result in a 500 (InternalServerError) and a response body that doesn't contain any useful diagnostic information. In .NET Core services you can use a global exception handler to trap unexpected errors and convert them into the standard response so that clients always receive the same shaped JSON response bodies.
This is entirely optional, as letting the error propagate back to the client as a status 500 will clearly indicate to them that something went seriously wrong, and the response body might be irrelevant anyway. The service should have internally logged the detailed error details so that developers can diagnose the problem.
Summary
By reducing the REST responses down to a single status code and putting standard properties in the response, it could be argued that I'm hijacking the REST conventions and turning them into a toy protocol. I can't argue with that, but as a developer I really need a simple protocol to return only success or failure information without the mental bother of applying status codes to my business logic (where that's meaningful). It also simplifies the coding on the service and client sides.
Ironically, the .NET SOAP protocol I used back in the 2000s was actually similar to what I'm doing now. I'm conforted to know that I'm not the only person who has considered ignoring status codes, as I recently used the API of a parcel shipping company who only returned status 200 and they had a root property named code in all their responses to indicate success or failure. In their case, curiously, code=300 indicated success.
No comments:
Post a Comment