3

In a change password request, if the old password is not right, what would be the correct response?

I'm thinking 401 Unauthorized? Or is it 400 Bad Request?

Andre C
  • 457
  • 1
  • 9
  • 26

2 Answers2

2

It's a bit tricky because I think you can make the argument for either, and I also feel that 409 and 422 could be argued.

Ultimately I think that it's important to use a more specific HTTP status code, if a generic client can do something useful with the response. Because of this, I think it doesn't really matter in this case.

I think I would be tempted to not use 401, because I associate that close to the Authorization header, and you're probably not using it in this case.

422or 400 are the best. This is entirely based in opinion. Either of those indicate that there was something wrong with the request (422 a bit more specific: there's nothing wrong with the format, but there is something wrong with the actual values sent to the server).

409 is sometimes used to indicate that the current request is valid, but the current state of the server prevents it from being successful. Given that the current state of the server is "the current password was something else", 409 could be appropriate.

Ultimately I don't think any is really wrong, and it's not really important but my vote would go to 422 first, and 400 next.

Some sources (first few are mine, last link is from one of the authors of the http specification)

Evert
  • 93,428
  • 18
  • 118
  • 189
0

The answer is the same as it would be for a login page.

Now, what is that answer? There's some disagreement on that question, but in my opinion it's 200. I discuss that in this answer and link to some other opinions.

Kevin Christopher Henry
  • 46,175
  • 7
  • 116
  • 102
  • If the intent of the request is to change a password, then a 200 OK response suggests that that request was successfully completed. – Evert May 03 '20 at 06:22
  • @Evert: That depends on whether that "intent" is part of the application semantics or the protocol semantics. As I said, people have strong opinions on [both](https://stackoverflow.com/a/46379701/2395796) [sides](https://stackoverflow.com/a/3291292/2395796) of that question. Under this view, a `200` response indicates that the request was successfully received and understood, with the result being disclosed in the response body. An incorrect password would not be considered a "client error". – Kevin Christopher Henry May 03 '20 at 09:22
  • @Evert: I think context is also relevant. A good argument can be made for`422` in the context of a RESTful service. I take this question to be about a change password form in a browser, and I believe that returning a `200` for validation errors is fairly universal in that context. – Kevin Christopher Henry May 03 '20 at 09:23
  • True, i took this as a REST API. – Evert May 03 '20 at 15:00