Should I return a 401 or a 405 response code to a REST API user without sufficient access?
I'm developing an API which will also have an authentication/authorization component.
Anybody, regardless of authentication status, will be able to write (POST), but depending on if you are unauthenticated, authenticated as a normal user or authenticated as an admin and what resource you are trying to access I'm going to return different responses for GET, DELETE and PUT.
I'm trying to figure out the most appropriate response code for a user who isn't authenticated and/or authorized.
Keep in mind http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html:
Unauthorized -> 401
Forbidden -> 403
Method Not Allowed -> 405
Let's use a specific examples:
- John Doe is unauthenticated, on DELETE should he receive a 401 or a 405?
- Amy is authenticated but not authorized, on DELETE should she receive a 403 or a 405?
(Keep in mind that even though John and Amy are forbidden or unauthorized that doesn't mean they arent able to access the same resource with a different HTTP VERB.)
Thanks.
Answer
In this case, I think providing some examples for clarification are useful:
- Unauthenticated + Supported method =
401 - Unauthenticated + Unsupported method =
405 - Authenticated + Authorized + Supported method =
2xx - Authenticated + Authorized + Unsupported method =
405 - Authenticated + Unauthorized + Supported method =
403 - Authenticated + Unauthorized + Unsupported method =
405
In other words, from a procedural standpoint:
- Check whether methods are supported. If not:
405 - If supported, check if the user is authenticated. If not:
401 - If authenticated, check if the user is authorized. If not:
403 - If authorized:
2xx
EDIT: I stumbled upon this diagram and thought it might be useful to anyone else who might stumble across this post. Click to enlarge.
Original here.
