Confluence REST is not returing JSON in HTTP response body in case of an error

Confluence Development Confluence Cloud
, ,
1

Question: In case of an error, can I always expect HTTP response body to contain a JSON detailing the error?

Details:
Here is an excerpt from Confluence REST API.

Status codes

The Confluence REST API uses the standard HTTP status codes

Responses that return an error status code will also return a response body, similar to the following:

{
  "statusCode": 404,
  "data": {
    "authorized": false,
    "valid": false,
    "errors": [
      {
        "message": {
          "translation": "This is an example error message.",
          "args": []
        }
      }
    ],
    "successful": false
  },
  "message": "This is an example error message."
}

If I understand the documentation correctly, in the event of a 4xx and 5xx error a JSON will be returning in the HTTP response body detailing the error.

But, to test it, when I send a basic REST get request with incorrect token - the response do not contain the JSON in the body. Instead I see a text/plain in the body. Here is an example,

HTTP/1.1 401 Unauthorized
Server: AtlassianProxy/1.19.3.1
Content-Type: text/plain
Strict-Transport-Security: max-age=315360000; includeSubDomains; preload
Date: Sun, 13 Feb 2022 21:42:55 GMT
ATL-TraceId: 6099d826e3a10244
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
Connection: keep-alive
Expect-CT: report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy", enforce, max-age=86400

Basic authentication with passwords is deprecated.  For more information, see: https://developer.atlassian.com/cloud/confluence/deprecation-notice-basic-auth/

In some 404 cases the response body is empty.

Why I am not getting a JSON in the response body in all error cases?

2

Hi @QuaziIrfan,

Thanks for the post about error responses. For non 2xx responses, the body is more of a suggestion rather than a specific requirement of the protocol. In practical terms, we have many different services and they all response differently.

If you specifically want a JSON response, are you also specifying in the header Accept: application/json as well?

Regards,
James.

1 Like
3

I was not. I get plain text in response even when I add --header 'Accept: application/json with cURL. Which is expected right?

I am trying to find a reliable way always to get an error message details from the response. I was under the assumption if server is always returns a standard JSON when an error(4xx and 5xx) occurs I can just look into the content of ‘message’.

But if that is not the case - how should I proceed?

4

Hi @QuaziIrfan,

There’s no expectation with HTTP error responses to have a body with a message and it’s not required in the specification.

If you get a HTTP 401 then it’s defined as Unauthorized. If we provided a message that says “User xyz does not exist.” then this could be used as an attack vector to sniff out possible usernames.

You should also avoid passing the error message directly to the end user. I know in code I’ve worked on before we had to catch the HTTP response and then scan for specific messages. We just treated any response as a string and would search for the phrase we expected.

I hope this helps.

Regards,
James.

1 Like
5

Thanks for the clarification.