Reputation: 20947
HTTP status code for email already confirmed
I have a server endpoint for confirming a user's email address. If the client tries to confirm again, what status code should I return?
The result should be the REST equivalent to "this was already done" or "you should not do that" or in programming terms "invalid state".
- 404: doesn't feel right as resource is there, but should not be used
- 409: doesn't feel right as it implies user can retry later, which he can't
- 422: doesn't feel right as input is semantically correct
- 501: doesn't feel right as the resource is implemented, but this is a user error
I'm using 404. But I'd like to know how others have dealt with this, and similar situations of "you could do that, but you shouldn't, and we won't allow it".
Upvotes: 0
Views: 1433
Answers (1)
Reputation: 57279
I have a server endpoint for confirming a user's email address. If the client tries to confirm again, what status code should I return?
You'll want to be keeping in mind that the HTTP status codes are metadata from the domain of transferring documents over a network. A REST API is a facade that makes our app/service/domain model look like a document transfer component.
Also, you'll want to be thinking about the fact that the network is unreliable -- how is the client expected to recover if the HTTP response is lost? because from the point of view of the client, a lost response is indistinguishable from a lost request.
Status codes are primarily metadata; the primary role that they fulfill is to communicate generic response semantics to generic clients (like browsers, or caches). When you are trying to communicate with the human being/machine intelligence running the protocol, you should be expecting to use the message-body.
2xx -- make sure there's nothing wrong with telling the client a second time that everything just worked. There are a lot of cases where this has the actual effect that you want.
410 Gone -- I think this is your best choice for "one time pad" scenarios. The server generates a unique link for some single use, and if it is used, or if some protocol timeout is exceeded, then the URI is burned never to be used again. The payload in this case would probably be a message to the client indicating that the entire protocol needs to start again, and providing links to the protocol start resources.
403 Forbidden "I'm sorry Dave, I can't do that". This is a perfectly normal way to say "No".
Upvotes: 2
Related Questions
- Which HTTP response code for "This email is already registered"?
- HTTP status code for a partial successful request
- HTTP status code when sending email failed
- HTTP status code for an expired confirmation code
- 422 or 409 status code for existing email during signup
- HTTP status for "email not verified"
- Is 202 Accepted appropriate when a resource awaits email confirmation/activation?
- http status code for failed email send
- Appropriate http status code for confirmation
- HTTP status code for "success with errors"?