We have a PUT endpoint which updates a row with autoincremented MYSQL id. If we specify the id in the body of the request, as in change the id value, the endpoint does not change the id (which is right behavior). But it also returns 200 because technically no validation failed. Should this return a 200? Or should it be a 400 or 403?
If we specify the id in the body of the request, as in change the id value, the endpoint does not change the id (which is right behavior).
If the id received in the payload matches the id stored in the database and the update succeeds, the service should return a successful status code such as 204 or 200.
On the other hand, if the id received in the payload doesn't match the id stored in the database, I would understand that as a client error. And 409 seems to be a reasonable choice: It's used to indicate that the request conflicts with the current state of the resource on the server. The mismatch between the id in the payload and in the database is a conflict.
See how the 409 status code is defined in the RFC 7231:
The
409(Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict. [...]
The response should include all necessary information for the client to recognize the source of the conflict and then be able to resubmit the request. For reporting problems in a Web API, I advise you to check the RFC 7807.