问题描述
我正在开发RESTful API,已经实现了基于令牌的身份验证,其中使用时间戳来准备令牌摘要.现在,当请求到达API服务器时,我正在检查提供的时间戳是否无效(即,指定了来自Future/Past的日期时间),然后抛出错误消息,指示检测到未来令牌"或令牌已过期".我需要附加HTTP状态代码,我对哪种状态代码适合这种情况感到困惑?
我已经查看了可用的状态代码( ref1 , ref2 ),到目前为止,我认为此处使用400的错误请求"代替401的未经授权"和403的禁止"状态代码是合适的.
你怎么看?
由于时间戳无效,因此我认为令牌无效.因此,客户端不再经过身份验证.因此,我将抛出401未经授权.您可以随意添加上下文的额外数据作为带有X-前缀的HTTP标头,也可以添加根据接受"请求标头(json,文本等)编码的响应正文.喜欢:
{
"error": {
"status": 401,
"details": {
"code": "401.3",
"description": "The timestamp provided must not be in the future."
}
}
}
它不是403禁止访问:403表示客户端已通过身份验证,但无权发送此请求".就您而言,我认为客户端不再经过身份验证.
I am developing RESTful APIs, I have implemented token-based authentication, where token digest is prepared using time-stamp. Now when request comes to API server, I am checking if the supplied time-stamp is invalid ( i.e. date-time from future/past is specified) then am throwing error message indicating that "future token detected" or "token has expired". I need to attach HTTP status code I am confused about which status code is suitable for this situation?
I have gone through the status codes available (ref1, ref2) so far, I think, using 400 'bad request' will be suitable here instead of 401 'Unauthorized' and 403 'forbidden' status codes.
what do you think guys?
As the timestamp is invalid, I think the token is invalid. So the client is not authenticated anymore. So I would throw a 401 Unauthorized. You're free to add extra data of the context as HTTP header with the X- prefix, or to add a response body encoded according to the Accept request header (json, text, etc.). Like:
{
"error": {
"status": 401,
"details": {
"code": "401.3",
"description": "The timestamp provided must not be in the future."
}
}
}
It is not a 403 Forbidden : 403 means "the client is authenticated but does not have the right to send this request". In your case, I think the client is not authenticated any more.
这篇关于凭证过期错误/异常的HTTP状态代码应该是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!