[usrbinbash]

> Unlike POST, however, the method is explicitly safe and idempotent, allowing functions like caching and automatic retries to operate.

And just like with POST, whether or not this is actually the case in a given API, depends entirely on the server-side implementation.

Look, I get it. We want to make rules. Rules are good. Rules define things.

But in a world where so many "REST APIs" are actually "RESTful" or REST-ish, or "actually about as REST as a Pelican, but we really liked the sound of the acronym", I wonder if adding one more rule to the pile is really going to substantially change anything.

A majority of APIs don't even use all of the existing HTTP verbs, or HTTP response codes for that matter. And every API is free to make up their own rules. I had the dubious pleasure of consuming APIs that required GET with both a body and urlparams, and which returned 200 on error, but with an `{error: {...}}` object in the body. The crown jewel so far, was an authentication system that had me send credentials as multipart/form-data, with a PUT request (because you inPUT the credentials, see? Not a joke, that was the rationale given to me by the dev who made it.)

[silasdavis]

If you control both ends of the pipe you are free to use the methods and conventions and maybe benefit when something gets cached.

That you cannot rely on consistency is not a reason to have none at all.

Destructive actions can and are also hidden behind a GET. When such an endpoint gets called indiscriminately by the rest of the internet it usually becomes the faulty implementation's problem.

Presumably the same would be true for QUERY.

[usrbinbash]

If I control both ends. And if the server side is not a legacy application that no resources get expended on to fix something that isn't broken.

Those are 2 very big if's.

> That you cannot rely on consistency is not a reason to have none at all.

I want consistency. I stated as much in my post: "Rules are good." I'm just not convinced adding more rules to a collection of rules that already isn't consistently applied in the wild, will give me more consistency.

[ijwdaoijdapwodi]

> A majority of APIs don't even use all of the existing HTTP verbs

That is because there are essentially only 3 verbs in HTTP: GET, POST, and OPTIONS (needed for CORS). All the others are (from a protocol POV) rebranded POST or very specialized (like TRACE or HEAD).

This new method in particular is meant to be useful for proxies, so that they can cache more without risking breaking old stuff

[plugin-baby]

People try to apply rules. REST may sometimes make sense, but much of the time it’s probably simplest and most consistent to JUP - Just Use POST.

[knallfrosch]

I get the 200: Error.

Semantically, it's an error that the frontend can handle and shouldn't show up as "unexpected error" in network logs. Many people treat HTTP error codes as exceptions / real infrastructure problems.

I mean, we build rich clients. You can't simply auth with a user/password header when you get a 401/403 and your browser shows an alert. It's not 2003 anymore.

[usrbinbash]

> Semantically, it's an error that the frontend can handle

No it isn't. Semantically `200 OK` means a request was successful. That isn't me saying that, that's the RFC:

https://datatracker.ietf.org/doc/html/rfc1945#section-9.2

The semantically correct message to signal to the frontend that the error originated on its side, and thus has to be fixed by it, is a 4xx response, period.

https://datatracker.ietf.org/doc/html/rfc1945#section-9.4

> Many people treat HTTP error codes as exceptions / real infrastructure problems.

Doesn't change the fact that they aren't exceptional. A != 2xx response code is not an exceptional occurrence. As soon as I talk to a networked process, especially one that I don't control, I am talking to unreliability, and being able to deal with that is normal program operation, not an exception.

> I mean, we build rich clients. You can't simply auth with a user/password header when you get a 401/403 and your browser shows an alert. It's not 2003 anymore.

So?

What exactly does the auth method I'm using have to do with the server using semantically correct return codes?

Luckily, I also consume a lot of good APIs in my code. Guess what they send back when my client messes up something during OAuth. Hint: It's not `HTTP/200 OK`

[xcdzvyn]

Is this a joke?