Reputation: 1444
What would be the best-practice standard for backend response of an expired JWT token?
So what I found useful is according to MDN's HTTP Response Status Code the status code that can qualify is:
- 400 Bad Request
- 401 Unauthorized
- 406 Not Acceptable
- 412 Precondition Failed
Now, I was thinking of using 401 but with error.name or error.code of JwtTokenExpired. But then I saw 400, 406 and 412. I guess 400 is universal, or probably too universal? That makes 406 or probably 412 is more like it.
But I'm not sure. People haven't asked this in StackOverflow. So I think it's worth to discuss it and know that there's a certain standard.
Upvotes: 1
Views: 1091
Answers (1)
Reputation: 11578
This depends in your security level. For security reasons, some answers are empty of the crucial information if they are information not for developers.
For example, if you are working with a client that is developing a call to your API, you can use a complete response of the problem in a sandbox environment, while in production the information provided tries to reduces to 0, in order to not give any information to the possible attacker.
Said this, you could use 401 if your token works like a security key, or even better 428 (or 412) since the precondition is not fullfilled. A 400 should be the most empty response for this scenario since only brings information that the problem is on client side. For full protection and no information at all, a 204 response would confuses any enemy, but this is only for your concern.
From the RFC 6585:
428 Precondition Required
The 428 status code indicates that the origin server requires the
request to be conditional.Its typical use is to avoid the "lost update" problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict. By requiring requests to be conditional, the server can assure that clients are working with the correct copies.
Responses using this status code SHOULD explain how to resubmit the request successfully. For example:
HTTP/1.1 428 Precondition Required Content-Type: text/html
Upvotes: 2
Related Questions
- What is the appropriate HTTP status code response for a general unsuccessful request (not an error)?
- What HTTP status response code should I use if the request is missing a required parameter?
- What is the most appropriate HTTP Status Code for Invalid Host/Referer request header?
- What's an appropriate HTTP status code to return by a REST API service for a validation failure?
- REST response code for backend invalid data
- HTTP Status Code Priority and Processing
- What is best practice in sending ajax response?
- HTTP Response code for expired (but not necessarily permanently expired) URL
- REST: Mapping application errors to HTTP Status codes