I am using put to modify a resource. I was wondering what is the appropriate status code to return when the id given in the path is different from the id given to the body of the resource.
e.g.
REST api action method is: /resources/{id}
Body:
{
"id": "test",
"name": "my_resource"
}
What HTTP Status Code should be returned to the following curl request?
curl -X PUT 'localhost:8080/resources/test2' \
--header 'Content-Type: application/json' \
--data-raw '{
"id": "test",
"name": "my_resource"
}'
You can probably make an argument for any of
403 Forbidden (I understand your request, and I decline to fulfill it - see response body for details)
409 Conflict (Your proposed change conflicts with the current state of the resource - see response body for details)
422 Unprocessable Content (The body of your request is internally consistent, but doesn't make sense here - see response body for details).
For the general purpose elements of the HTTP application itself, it doesn't very much matter which of these you choose - they are all non-cacheable errors, the component isn't going to have any sort of automatic recovery, etc.
One tie breaker you might consider is how these entries are going to appear in your access logs / how your automated monitoring is going to handle them: if you want these messages to stand out in your logs, then you'll want to choose status code that's not overloaded with other meanings.
For more details, see section 15.5 of HTTP Semantics
Do you think that a 500 Internal Server Error with a proper explanation would be fine as well or is it confusing?
5xx Server Error is inappropriate when the information in the request is the source of the problem, because the form of the request is the client's responsibility, not the server's.
Loosely: 4xx covers all of the cases where the server is announcing "you should not have asked for that". 5xx is for variations of "what you asked for is fine, but I couldn't do it."
See the HTTP Semantics spec, in particular sections 15.5 and 15.6 (or, if you prefer the earlier reference, RFC 7231 6.5 and 6.6)
Related
Background:
Let's have a WebAssembly (wasm) originating from .net code.
This wasm uses HttpClient and HttpClientHandler to access a backend API at https://api.uri.
The actual backend API location might change in time (like https://api.uri/version-5), but there is still this fixed endpoint, which provides redirection (3xx response) to the current location (which is in the same domain).
The API allows CORS, meaning it sends e.g. Access-Control-Allow-Origin: * headers in the responses.
In the normal (non-wasm) world, one just:
Plainly GETs the https://api.uri with no additional headers (CORS safe).
Retrieve the Location: header (containing e.g. https://api.uri/version-5) from the 3xx response as the final URI.
GETs/POSTs the final URI with additional headers (as needed, e.g. custom, auth, etc.).
Note: In ideal world, the redirection is handled transparently and the first two steps can just be omitted.
Although in the wasm world:
You are not allowed to (let the wasm/browser) send the OPTIONS pre-flight requests to a redirecting endpoint (https://api.uri).
You can't send any non-cors headers, when wanting to prevent pre-flight requests (reason for two stages, plain and full, described above).
You can't see the Location: header value (like https://api.uri/version-5) when trying the manual redirection (HttpClientHandler.AllowAutoRedirect = false), because the response is just artificially crafted with HTTP status code of 0 and ReasonPhrase == "opaqueredirect" - adoption to browser's Fetch API. What a nonsense! #1...
You can't see the auto-followed Location: header value in response.RequestMessage?.RequestUri, when trying the (default) automatic redirection (HttpClientHandler.AllowAutoRedirect = true), because there is still the original URI (https://api.uri) instead of the very expected auto-followed one (https://api.uri/version-5). What a nonsense! #2...
You can't send the full blown request with all the headers and rely on the automatic redirection, because it would trigger pre-flight, which is sill not allowed on redirecting endpoint.
So, the obvious question is:
Is there ANY way, how to handle such simple scenario from the Web Assembly?
(and not crash on CORS)
GET https://api.uri => 3xx, Location: https://api.uri/version-5
GET https://api.uri/version-5, Authorization: Basic BlaBlaBase64= ; Custom: Cool-Value => 200
Note: All this has been discovered within the Uno Platform wasm head, but I believe it applies for any .net wasm.
Note: I also guess "disabled" CORS (on the request side, via Sec-Fetch-Mode: no-cors) wouldn't help either, as then such request is not allowed to have additional headers/methods, right?
I am writing a SmartHome skill and need an access token to post asyncrhonous notifications for a device (doorbell). The documentation is confusing - but from what I have infered - I am supposed to get my client_id and client_secret from the Alexa console, and get the Bearer Token during the initial skill connection/authorization, then request the access token (and refresh token) via OAuth. So I can get these three pieces of info, but then I try to do:
curl -vv X POST -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -d "\
grant_type=authorization_code\
&code=$CODE\
&client_id=$CLIENT_ID\
&client_secret=$CLIENT_SECRET" \
https://api.amazon.com/auth/o2/token
Where CODE came from the initial authorization request as:
"payload": {
"grant": {
"code": "<<REDACTED>>",
"type": "OAuth2.AuthorizationCode"
},
But this always gives me:
{"error_description":"The request has an invalid parameter : code","error":"invalid_grant"}
If I remove the code parameter it complains it's missing, and if I change the code to something invalid, the error changes from invalid_grant to invalid_request. So it understands the code - but doesn't like something about this whole flow.
(I know the client_id, client_secret and grant_types are valid, because when I change them to something deliberately erroneous, I get some expected error).
Any idea what I'm doing wrong??
The code can only be used once - whether it succeeds or not. So even if you use it and your request is botched or otherwise doesn't work - you cannot reuse it. The only was I was able to handle this was to disable the skill, re-enabled it, then snoop and use the new code given.
Looking to send an HTTP POST through Microsoft Flow/Power Automate to make a voice call in Twilio. I feel like I've tried every iteration possible, but keep getting the error 21201:
{
"code": 21201,
"message": "No 'To' number is specified",
"more_info": "https://www.twilio.com/docs/errors/21201",
"status": 400
}
Screenshot of Power Automate HTTP Action
I've seen other vids of people using Azure Functions with C# and it feels like I should be able to do what I need here...like, really close. But I'm not a dev, so maybe I'm way off. Would appreciate any direction on this.
Thanks!
The issue appears to be you are sending a content type of application/json where Twilio requires application/x-www-form-urlencoded
Creating or Updating Resources with the HTTP POST and PUT Methods
Also found this:
Custom connector action with x-www-form-urlencoded content-type
Both GET and POST methods supported by the endpoint. The POST method is recommended to call endpoint with a huge number of user ids to follow, because the GET method will lead to an oversized URL that the server can't handle. How the "follow" parameter can be passed in the body of the request?
UPD: here is what I've already tried using Insomnia (the URL is always 'https://stream.twitter.com/1.1/statuses/filter.json' and the method is always 'POST' and the server response is always "No filter parameters found. Expect at least one parameter: follow track locations"):
A plain text body with Content-Type: text/html
follow=2731236345
A json body with Content-Type: application/json
{
"follow": "2731236345"
}
Another json body
{
"follow": [
2731236345
]
}
However, when I use form-url-encoded with field "follow" and the value "2731236345" I receive the response "Unauthorized".
First of all, consider looking at the Twitter Developer Labs new endpoint, because this existing API will be retired, likely (but not yet confirmed) in 2020.
When you say "without any success", what libraries are you using, and at what levels of query parameters - you're not being very clear about what is not working here. 5000 user IDs is very large. Can you please be more specific about the errors you're seeing, and the code you're trying to run?
I've managed to connect using curl:
curl --request POST \
--url 'https://stream.twitter.com/1.1/statuses/filter.json' \
--header 'authorization: <censored>' \
--data 'follow=2731236345'
The same request doesn't work in Insomnia for some reason, but it doesn't matter for the goal of this post.
I am using webhooks for the first time with calendly.com. I would like to create a subscription as described here. When I get to doing this
curl --header "X-TOKEN: <your_token>" --data "url=https://blah.foo/bar&events[]=invitee.created" https://calendly.com/api/v1/hooks
I am concerned that the url is not in a valid format. I tried replacing the & with a ? as in here
curl --header "X-TOKEN: <your_token>" --data "url=https://blah.foo/bar?events[]=invitee.created" https://calendly.com/api/v1/hooks
but I receive this error
{"events":{"events":["can't be blank]}}
Likewise, I try to leave the & and everything after it blank and it give the same error as above.
But using a url with the & and everything in it gives a 404 not found error. Can a url even have the format they are saying is required?
But using a url with the & and everything in it gives a 404 not found error.
The URL part in the following is just the https://blah.foo/bar part before the & character.
curl --header "X-TOKEN: <your_token>" --data "url=https://blah.foo/bar&events[]=invitee.created" https://calendly.com/api/v1/hooks
The events[]=invitee.created part is a separate parameter and value. It’s not part of the url.
See the Create A Webhook Subscription page in the calendy docs:
So the URL is the site that runs your webhook; you don’t send the events parameter/value back to that site—instead you’re sending both the url param and events param to the calendly API endpoint at https://calendly.com/api/v1/hooks. The calendly backend presumably then calls to https://mywebsite.com/webhooks/invitee_created or https://blah.foo/bar whatever url you’ve given it—but without the events parameter, which is for calendly’s internal use.