This is a conceptual question.
I have a client (mobile) application that must support the login action with the RESTful web service. Since the web service is RESTful, this means that the client accepts the username / password from the user, verifies that username / password with the service, and then simply remembers to send this username / password with all subsequent requests.
All other answers in this web service are provided in JSON format.
The question is when I request a web service just to find out if the given username / password is valid, should the web service always respond with JSON data telling me if it was successful or unsuccessful, or should it return HTTP 200 to good credentials and HTTP 401 for invalid credentials.
I ask that some other RESTful services use 401 for bad credentials, even if you just ask if the credentials are valid. However, my understanding of 401 answers is that they are a resource that you should not have access to without valid credentials. But the login resource MUST be accessible to everyone, because the whole purpose of the login resource is to tell you if your credentials are valid.
In other words, it seems to me that the request is like:
myservice.com/this/is/a/user/action
should return 401 if bad credentials are specified. But the request is like:
myservice.com/are/these/credentials/valid
401 should never be returned because this particular URL (request) is authorized with or without valid credentials.
I would like to hear some justifiable opinions anyway. What is the standard way to solve this problem and is the standard way to handle this logically appropriate?
Matt Jul 30 2018-12-12T00: 00Z
source share