0

I am building a MVC application, and we are using some Ajax calls to an MVC Action like this:

$.ajax({
url: myController/MyAction/1, context: document.body, 
success: function (data) {
    $('.modal-title').html(title);
    $('.modal-body').html(data);
    $(this).addClass("done");
    $('#myModal').modal('show');
},
error: function (err, status, a, b) { toastr.error(a) }
});

When everything is OK, the Action returns html data and fills the modal body with HTML.
When something goes wrong, it returns status code 400 with a custom message and displays it with toastr (.js - a nice colourful alert box)

Here's the MVC Action called:

public ActionResult MyAction(string id)
{
    var viewModel = new partialViewModel();

    if (!string.IsNullOrEmpty(id))
    {
        var data = Get_Html(id);    // do something, get the html
        if(data == null)
        {
            // something is wrong, return status code 400 with my custom message
            return new HttpStatusCodeResult(HttpStatusCode.BadRequest, "My error message.");
        }

        viewModel.Data = data;      // fill the viewModel, the partial view is using
    }
    else
    {
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest, "My error message.");
    }

    // return the partial view filled with data as Html
    return PartialView("_myPartialView", viewModel);
}

I was inspired by these StackOverflow answers: link 1 and link 2

Everything worked fine on DEV PCs, but then we released the application to the customer's server...

The customer's server security is quite high, so he uses gateways, which scan the responses the app returns. When something goes wrong (server returns status code 400 and my message to the client), and goes wrong often (twice per sec. for every logged in user), there's a possible scenario, that the gateways could recognize legit requests, which return legit status 400 as DoS attacks and block the poor user's IP.

Another possible scenario is, that one of the gateways can catch my 400, throw it away and return its own custom error with some other status code (and without my custom message!)

Currently I decided to solve it, by returning statusCode 200 (OK) with a special statusText and then inside the Ajax success function determine if there's this special text and show messages:

//... ajax call ...
success: function (htmlData, a, b) {
    if (b.statusText.indexOf('INT_ERROR:') == 0) {
        toastr.error(b.statusText.replace('INT_ERROR:', ''));
    }
    else {
        // fill and show the modal
    }
}, 
//... the rest ...

But that's not a good solution. Does somebody know a better way? I can not persuade the customer to change his security. You may also tell me, it IS a good solution. I just don't like it.

Thanks

Community
  • 1
  • 1
XzajoX
  • 23
  • 6
  • public ActionResult MyAction(string id) change the function signature to match Ajax response. you are returning a partial view ... JsonResult instead of ActionResult. – DarthCoder Sep 11 '14 at 15:33
  • I would consider this as a good option. The question here is: When an error is raised; Is it a HTTP communication error (HTTP != 200, content => about communication failure) or a business logic error (HTTP = 200, content => not what we hoped for). According to REST spec you should treat HTTP response code as the logical return. You're environment prohibits that somehow. My opinion would be": Chance your MEANS (how to transport data regardless of error or success), not your GOAL. – Marvin Smit Sep 11 '14 at 15:38
  • @DarthCoder Even if I change that, on error I still return HttpStatusCodeResult. – XzajoX Sep 11 '14 at 15:41
  • that will still not solve the problem, @MarvinSmit suggested the change is your approach. you could return JSON Response and based on that proceed with processing on the client end. Its ideally not expected to have html response for javascript. – DarthCoder Sep 11 '14 at 15:48

0 Answers0