Using HTTP status code is good, but in practice, as I understand the code, it is not used to know if there is an error, it is used to return false
. The exception handler is for JSON parsing.
Having said that, using two different types of content type without changing the header (that is you are reporting application/json
) even on an error, means that it should be expected a JSON.
I strongly believe in “Least expected surprise” methodology, so if the content is usually sent using JSON, it should always be JSON.
BTW, body payload of "Opps something went wrong"
without curly braces is JSON and will be parsed by the engine as JSON, but I would like to see an object: { "error": "Opps something went wrong" }
, because first of all it is returning like every other content, and secondly, helps us to know that there is an error, without guessing or thinking that something else went wrong.
TLS is not a valid “defence” for avoiding malicious payload, because malicious does not always means an outside attacker, but rather an invalid content, and bad escaping that can create an issue for us.
Validating any input is a best practice, and can help us avoid any pitiful with the payload.
Please don’t get me wrong, TLS is a strong security factor, but it should not be the only security mechanism IMO, but rather one in a big chain of mechanisms that are used.
Can you please show me where on the code I happens, because all I see, is that it returns false
, what am I missing?
In ruby raise
means that I created an exception, while throw means that I pass an exception along.
So in other words, raise
create a new call stack, while throw
sends the existed exception stack.
In this case I wish to create the effect of “I didn’t created the exception, but here is the exception for you”.
Does that makes any sense?