Problem/Motivation
Existing error messages in Drupal REST responses are one dimensional—a string contextualized by an HTTP status code. This is limiting in several ways:
- It is very difficult to provide adequate depth of insight into an error via a one-line message.
- Categorization of "sub-types" below the level of status code and above the specific error message is difficult, inhibiting ease of troubleshooting research
- The response is too basic to facilitate more advanced integration around fault tolerance and error handling UX.
Proposed resolution
RFC 7807: Problem Details provides a description for structured XML or JSON responses that facilitate greater detail in the error messages.
A few thoughts on some of the available properties:
- type can link to documentation pages on Drupal.org about the error category, driving developers to a landing page to help facilitate research.
- instance might be used in the future for more targeted knowledge base building. With some coordination, dedicated URLs or sections within the type URL could be linked to for more specific delving.
title can be made high-level and unique by type, to facilitate googling without the kinds of identifiers, URIs, and file paths that are unique to an environment.
Example
{
"type": "<url>",
"title": "Access denied to content",
"status": 403,
"details": "Currently authenticated user lacks permission to view content on this site."
"instance": "<url>#access-denied-to-content",
}
Furthermore, problem-specific extensions allow additional properties to be added. There are many future enhancements that might be considered from there.
Remaining tasks
- Decide from a product standpoint if this is a good direction for the Drupal REST implementation
- Create a facility to support message output in the
application/problem+json
orapplication/problem+xml
format. - Perform an initial survey of REST error messages to determine categories.
- For each error category, find or prepare a documentation page to server as the type URL.
- Convert errors thrown in the course of REST responses to be handled by the new error response mechanism.
Out-of-initial-scope
- Handling multiple problems per error response
- Coordinating documentation for error "instance" property
- Adding flags to tailor the error response based on maintenance mode or other site states
User interface changes
REST error responses will change in structure and Content Type. Code which parses and uses the existing structure will break, though backwards compatibility might be preserved by using existing properties as "extensions" per the RFC.
API changes
New representation for errors will likely result in API additions. Changes in error handling might result in API changes to add additional parameters to some exceptions.
Data model changes
None.
Original report
Problem/Motivation
As was discussed in #1865594: Better REST error messages in case of exceptions, we want to respond with clearer error messages. There seem to be two different approaches which are gaining traction, api-problem from the IETF and vnd.error from the HAL community.
Proposed resolution
Decide which to use by default and implement it in a way that makes it easy to change.
Comment | File | Size | Author |
---|---|---|---|
#23 | errors.txt | 1.37 KB | dawehner |
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedAny new inclination about how to proceed here?
Comment #2
klausiCrell's new library might be a candidate for this? https://github.com/Crell/ApiProblem
Comment #3
Crell CreditAttribution: Crell commentedI wasn't really thinking of this issue when I wrote it, but yes, that would make using api-problem dead simple. (I wanted to use it for a project at work, and just to see if I could do it.)
Comment #4
Crell CreditAttribution: Crell commentedProposal: Let's use ApiProblem, including the library linked above, and call it a day. Yay/nay?
Comment #5
fubhy CreditAttribution: fubhy commentedI just ran into a situation where an actual ApiProblem implementation including a bridge to symfony validator would've been really helpful. It should be easy to respond to a request with a list of validation violations.
Edit: The situation in which I needed this (although it might be obvious) was for implementing node entity forms in a React frontend.
Comment #6
Crell CreditAttribution: Crell commentedApiProblem is good, but the spec is still not finalized. It's in draft 7 now, I think. I just updated my library for it a few weeks ago. :-)
I'm not against using it, but I want to be cautious about API stability. I'm not sure if we want to lock ourselves into a draft spec that may change for the next however many years of D8's life.
That said, a contrib module that tosses ApiProblem in place would be quite simple to write. I did so for a Symfony project last month and it took less than a day. That may be the safer option from an API stability standpoint.
Comment #7
Crell CreditAttribution: Crell commentedDiscussed with Klausi in IRC. We'll go with a contrib module for now. Once ApiProblem settles down as a spec we can look at moving it into core in a later 8.x release or in D9.
Comment #8
Wim LeersComment #11
Grayside CreditAttribution: Grayside at Phase2 commentedI hadn't heard of application/vnd.error+json somehow, despite lots of work around HAL resources. The post example looks a little more obscure from a DX perspective, and I do not see any benefits not present in api-problem except for more explicit direction on how to handle multiple errors.
REST should use one problem format, so a format that mostly makes sense to HAL-focused eyes would be out of place in some cases.
Comment #12
Crell CreditAttribution: Crell at Platform.sh commentedApi-Problem is now a finalized spec, and my library (linked above) has been updated for the final RFC in the 2.0 version. There will be other features added to the library in time but for now all the core capabilities are there. (Unless we want to move it to be evolvable, a la PSR-7?)
Comment #14
Wim Leershttps://tools.ietf.org/html/rfc7807 was ratified in March 2016.
Comment #15
Wim LeersNote that #2808233: REST 403 responses don't tell the user *why* access is not granted: requires deep Drupal understanding to figure out already helped improve our REST error responses a lot. And thanks to #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method, we're thoroughly testing every single one of our responses.
It's now more feasible than ever to adopt this. The main question is: do we want this?
Comment #16
Wim LeersAlso, I wonder if #2856110: [PP-1] Expose entity validation errors in a machine readable REST API: is basically a duplicate of this? It focuses on entity validation errors. But if we're going to do that, we should just adopt this RFC right away, rather than first creating our own format, and then causing disruption for REST clients by moving from HEAD's validation error responses (which are basically unparseable plain text) to the custom JSON format there and then finally to the format defined by RFC 7807.
Comment #17
Wim LeersUpdating title to match the RFC.
Comment #18
Wim LeersIn #14+#17, I updated the issue title to choose RFC 7807. I had missed for a moment that the Is said:
Well, since then, a clear winner emerged: RFC 7807/
application/problem+json
from the IETF (ratified in March 2016) —application/vnd.error+json
from the HAL community was last updated on September 9, 2014.So, let's be more clear/explicit.
Comment #19
Wim Leers… and the title already was explicit/clear, but the IS was not yet.
Rather than writing an entirely new IS, let's copy/paste the one from #2811483: Adopt Problem Details RFC for REST Error Responses, which is basically a 100% duplicate of this issue. Many thanks to @Grayside (please credit him!) for writing that.
Comment #20
dawehnerI'm wondering whether we can somehow shortcut some of the list entries explained in issue summary.
We have a concrete problem out there and some of those would require quite a lot of work:
I'm wondering for example whether we could for now just use a non existing URL for the errors?
Comment #21
Wim Leers+1, we do the same for link relation types: see
core/core.link_relation_types.yml
, specifically the top of the file, where it says:Comment #23
dawehnerI wanted to create a document on drupal.org at least starting, but then I realized, you need some special permission for that :(
I'll continue with this document maybe tomorrow or on the weekend.
Comment #24
Wim Leers👍
Comment #25
e0ipsoSince this is a specific format, how is this going to be negotiated? I worry about formats that have their own spec for errors being trampled by this one.
I miss in the IS in what formats this is going to be triggered. Does this only apply to our JSON format in core? Does also apply to HAL? Is this going to apply everywhere and it's the responsibility of any other format to override it? I assume it's the latter, since we already have a format for errors and that's what we're trying to replace.
We're conflating unopinionated / unknown formats with an opinionated format for errors. That may be good, but we need to aknowledge it as a feature.
Comment #27
Wim Leers@edgab has opened a JSON API support request/documentation issue specifically about how to deal with the currently implemented validation error message structure, and how to actually use that in a client application.
Comment #30
Wim LeersFYI: The
jsonapi.module
effectively already implements this, because the JSON:API spec has absorbed the relevant portions from RFC7807. See https://jsonapi.org/format/#error-objects. Even the language is lifted from RFC7807, for example:That doesn't change anything here, but I just wanted to call it out explicitly that this issue applies only to
rest.module
.