In order to gracefully handle a refund request on a transaction that has already been refunded, I should have the possibility to check the exact error code returned by PayPal REST API in case of a POST https://api.sandbox.paypal.com/v1/payments/capture/{captureid}/refund request.
similarly to the classic API I thought (but I was wrong) that in this case an error 10009 could be returned (https://developer.paypal.com/docs/classic/api/errorcodes/).
Actually when I try to request a refund for a payment that has already been captured i got a 400 HTTP status and the JSON body below:
{
"name": "TRANSACTION_REFUSED",
"message": "The request was refused.This transaction has already been fully refunded",
"information_link": "https://developer.paypal.com/webapps/developer/docs/api/#TRANSACTION_REFUSED",
"debug_id": "e3f52374ef2e7"
}
I was wondering if there's a way to to look for this specific error other than inspecting the "message" value included in the JSON response.
Thanks,
Andrea
I believe you already got an answer from the PayPal-Java-SDK GitHub repository issue #148.
In case someone else has the same question, today, the HTTP response code is a general error code, and the message in the body is the best way to identify the cause. Please make a feature request to PayPal Technical Support so this enhancement can be considered for a future release.
Related
We have POST API that gives particular user's contact details in response. But as this is confidential data, to access this detail, anyone accessing it needs to put verified mobile number.
The request looks like:
POST /api/userdetails
{
"userid": 123,
"mobile": "+1394839843"
}
What should be status code if "mobile" number is not a verified number in our database?
What should be status code if "mobile" number is not a verified number in our database?
From a very high level: think about what you would expect a plain old web site to do if a user submitted a form with a "not verified number" and do that.
The charts in Michael Kropat's Stop Making It Hard breaks the process down into more specific questions.
Is there a problem with the request? That's clearly a yes, here, so we know immediately that you'll want to use some code from the 4xx class.
From there, it's just a matter of looking through the semantics of each code and seeing which one best fits.
400 Bad Request is the generic client error, so you use that if you can't find a better match.
403 Forbidden is roughly "I understand your request, but decline to act upon it." This is most commonly associated with authentication and ACLs, but the standard doesn't actually require that. Given your description, it's not a bad match.
422 Unprocessable Entity from WebDav, is another possibility. I'd reject it, on the grounds that the schema of the message body is perfectly correct, the problem is that the specified value isn't aligned with the current state of the server. You might want to review a previous discussion about 400 vs 422
What response (code + content) should I return when my JsonAPI is requested to perform some operation that has already been done or does not make sense ?
Example : suppose I want to request an article publication. The article draft is updated through a specific endpoint (irrelevant here), and there is a specific endpoint one for publication (whose response we are interested in)
4 different scenarii, I need to figure out what type of response to send each time :
Publication had never been requested, and the article has all publication mandatory information, it makes sense to request publication so I'm returning a 202 accepted response with the article resource including the "publication requested at" attribute
A successful publication publication request was already sent/acknowledged, and no one had time to review it in between. What should I return ?
A previous publication request was reviewed by someone and accepted (the article is now published). The API receives once more a publication request to this article that was already published, it doesn't make sense, what should I return ?
The article does not have all mandatory information filled and someones make a publication request. I must inform the user his request was not granted because of errors. I was thinking for this one I could return the list of validation errors. Sounds fair ?
Your first two bullets...
Publication had never been requested, and the article has all publication mandatory information, it makes sense to request publication so I'm returning a 202 accepted response with the article resource including the "publication requested at" attribute
A successful publication publication request was already sent/acknowledged, and no one had time to review it in between. What should I return ?
...are amenable to 202 Accepted:
202 Accepted: The request has been accepted for processing, but the processing has not been completed. The request might or might not be eventually acted upon, and may be disallowed when processing occurs.
Your third bullet:
A previous publication request was reviewed by someone and accepted (the article is now published). The API receives once more a publication request to this article that was already published, it doesn't make sense, what should I return ?
I would probably use a 303 redirect here:
303 See other: The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELETE), the client should presume that the server has received the data and should issue a redirect with a separate GET message.
But you could also consider a 308 permanent redirect:
308 Permanent Redirect (RFC 7538): The request and all future requests should be repeated using another URI. 307 and 308 parallel the behaviors of 302 and 301, but do not allow the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly.
But I'd lean towards the 303.
And your last bullet:
The article does not have all mandatory information filled and someones make a publication request. I must inform the user his request was not granted because of errors. I was thinking for this one I could return the list of validation errors. Sounds fair ?
This is a standard "bad client request" (4xx) with errors:
400 Bad Request: The server cannot or will not process the request due to an apparent client error (e.g., malformed request syntax, too large size, invalid request message framing, or deceptive request routing).
Just make sure you don't expose the implementation details of your service when you enumerate the errors in your response.
Remember:
2xx responses indicate success
3xx responses indicate redirection
4xx responses indicate a failure on the part of the client
5xx responses indicate a failure on the part of the application servicing the request
Source: List of HTTP status codes
My payment endpoint which accepts a POST should deny requests when the user does not have any payment methods configured. What is the correct HTTP status code in this case?
What is the correct HTTP status code to be raised when the system itself cannot reach the state asked for by the request and another request (creating a payment method) must be completed first?
I looked at 428 Precondition Required, but that seems to have more to do with the headers than the state of the system.
I would go simply with 400 Bad Request. If you need more specific instructions or hints in the response, you can return a body, which will indicate the exact nature of the error.
You don't need to assign a specific HTTP error code to all your internal business-related error cases. Indeed this is probably not possible anyway.
The specification on 400: https://www.rfc-editor.org/rfc/rfc7231#section-6.5.1
Relevant quotes from there:
indicates that the server cannot or will not process the request due to something that is perceived to be a client error
And about the 4xx codes in general:
the server SHOULD send a representation containing an explanation of the error situation, and whether it is a temporary or permanent condition
Did you look into error 424 Failed_Dependency? I think this could bethe one you want.
See
http://www.restpatterns.org/HTTP_Status_Codes/424_-_Failed_Dependency
I was thinking 403. From http://www.restapitutorial.com/httpstatuscodes.html:
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
Edit: Endpoint - POST /users.
The normal HTTP error code for situations like this is 409 Conflict:
The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request. The response body SHOULD include enough
information for the user to recognize the source of the conflict. Ideally, the response entity would include enough information for the user or user agent to fix the problem; however, that might not be possible and is not required.
This should be issued in response to a POST or PUT, typically as part of some sort of RESTful API. It should include a useful error message in addition to the status, and the error should be appropriately encoded (e.g. with XML or JSON).
Obscure HTTP errors are less useful in front-end web services. If you are developing a user-facing website, it's preferable to simply deliver an HTML page explaining the problem with a standard 200 OK.
If you are creating a REST API to create accounts, I would expect the request to be something like:
POST /accounts HTTP/1.1
{userid: "someone#example.com", password: "passw0rd!"}
In this case, I guess an appropriate response code would be 409 Conflict with an error description in the body
HTTP/1.1 409 Conflict
{ error: "Account already exists"}
That status code is for an HTTP error, not what you need. Also, it would be very unhelpful as it does not describe the problem at all.
Why not just send:
Username already exists! Please select another.
403 is an ok response in my opinion. 409 and 412 are also possible choices.
I still wasn't 100% sure after reading the JSON-RPC 2.0 spec about this: Does the spec allow the sender of a Notification the ability to receive back an Error object? For example if the receiver of the Notification failed to parse the payload of the Notification, can it reply back saying that it failed to parse? Or even that is not allowed?
If it allowed, then does the Error object response require the presence of the "id": null or not?
Thanks.
Henry
Yes, you should respond with an error if it's not a valid JSON-RPC request.
If there is not enough progression through the process to determine that the
request object is a notification, it should default to normal request
handling, which would include sending a response... which probably is also
always an error.
Source
As for the second part of your question, yes, you must include "id": null.
id
This member is REQUIRED.
If there was an error in detecting the id in the Request object (e.g. Parse error/Invalid Request), it MUST be Null.
Source