HTTP status to return after trying to logout without being logged in
Suppose I have a RESTful authentication endpoint:
http://example.com/api/v1/auth
- A
POSTrequest with email and password allows for logging in. A request gets countered with a response with HTTP 200 for correct login or 403 for incorrect. - A
DELETErequest allows for logging out.
It's obvious that after a successfuly logout I should return HTTP 200. What HTTP response code should I return, if a user tries to logout without being logged in?
Answer
It's obvious that you should return status 200 for successful logout? Not at all. If you don't return a response with that status, then 204 or 205 would be more appropriate (205 = "no content, refresh"), since there is no content to return, and the client should probably refresh its view.
If the user wasn't logged in: Think about what a client would think about it. Either the client wasn't aware that the user wasn't logged in. Or the client wasn't sure whether the user wasn't logged in, and logged out just in case. After the call, the user is logged out. What purpose would it serve to give a different status than for a formerly logged in user? Even if the client detected such a status correctly, what is there that the client could usefully do?
I'd give the exact same response. Don't see it as "I was logged out", see it as "I am not logged in". If you really want to report it, return status 200 with a different content for users that were logged in and users that were not logged in.