tags:

views:

163

answers:

8
+1  Q: 

REST standard for GET on a resource that doesn't exist

The resource /user/12345 doesn't exist. Lets say the consumer is trying different ids randomly. There is no authorization. Any user can view any user. In a broader sense, my question is "What should you return if you do a GET on a resource that doesn't exist?"

Should I return an empty user for an id that doesn't exist or should I return an error message with proper status code?

What is the typical/usual/recommended practice?

+13  A: 

Return 404 status code.

Byron Whitlock  2009-10-07 18:59:31
+1  A: 

A GET should only retrieve something that exists.

So I would return a 404.

DJ  2009-10-07 19:00:06
+1  A: 

That looks like a 404 error to me - resource not found.

Nathan  2009-10-07 19:00:11
+4  A: 

@Byron is right, return HTTP 404. You want to leverage all of the capabilities of HTTP, and these include response status codes. So if there is a client error, return a 4xx error code, and if your server code has an internal problem, return a 5xx error code, etc.

Richardson and Ruby's RESTful Web Services (O'Reilly) has a good discussion of this, and an appendix with all the most important HTTP error codes and when to use them.

Jim Ferrans  2009-10-07 19:01:51
+5  A: 

It depends on your security concerns a little bit. I would either send a 404 if it is OK that the guesser finds out if that user id does not exist, or send 401 for all attempts on unauthenticated accesses to any resource under /user

stinkymatt  2009-10-07 19:02:05
+1 That's not a bad idea.
Byron Whitlock  2009-10-07 19:04:51
Decide on either 401 or 404 and stick with it for all IDs, whether they exist or not. You don't want a hacker finding out which IDs are worth something by analysing which ones returned which error code.
Christian Hayter  2009-10-07 19:11:05
+3  A: 

404

That said, this assumes you first checked authorization to that operation -> /user/[id] and if the user wasn't allow to access Other users accounts you would return 401.

Never rely on the user not knowing user ids ...

eglasius  2009-10-07 19:04:53
+2  A: 

If the user is authenticated and authorized, return 404. If the user is unauthenticated and unauthorized, send them to a page to get authorized.

MatthewMartin  2009-10-07 19:29:41
A: 

From your original question, with no authorization, this is clearly a 404. If you were to add authorization, then it would actually be acceptable to return a 404 for all unauthorized requests; this prevents random ID guessing by distinguishing 401 or 403 (exists, but unauthorized) from 404s (nonexistent) as some of the other answers suggest. Per the RFC:

10.4.5 404 Not Found ... This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

Jon Moore  2009-11-01 02:04:24

related questions

Mocking WebResponse's from a WebRequest
What's the best way to learn server RESTful code?
JAX-RS Frameworks
SOAP or REST
Are REST request headers encrypted by SSL?
REST in Java
REST type API for non web based applications, Is It a good idea?
Getting started with REST
Plain text passwords in Ruby on Rails using Restful_Authentication
Where WCF and ADO.Net Data services stand?
REST how to handle query parameters when put to resource?
Any way to handle Put and Delete verbs in ASP.Net MVC?
How do you implement resource "edit" forms in a RESTful way?
Friendly URLs for ASP.NET
Possible to create REST web service with ASP.NET 2.0
Strange Rails Authentication Issue
How to respond to an alternate URI in a RESTful web service
Guide to choosing between REST vs SOAP services?
guid REST URL for ado.net dataservice call?
RESTful web services and HTTP verbs
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Best Practices for securing a REST API / web service
Document or RPC based web services
Modify Address Bar URL in AJAX App to Match Current State