Description
Symptoms
When a client request is made for an API-versioned service without specifying a version, the service returns HTTP status code 404 (Not Found) instead of HTTP status code 400 (Bad Request).
Assuming that a single service named svc is defined with a single version - 1.0, then the following is the expected behavior:
| Request URL | Status Code |
|---|---|
| GET /svc | 400 |
| GET /svc?api-version=1.0 | 200 |
| GET /svc?api-version=2.0 | 400 |
However, the following is the actual observed behavior:
| Request URL | Status Code |
|---|---|
| GET /svc | 404 |
| GET /svc?api-version=1.0 | 200 |
| GET /svc?api-version=2.0 | 400 |
Analysis
API-versioned services require that a client request a version by default. When a client makes a request for an existing service without an API version, then the behavior should be the same as if the client requested a version that does not exist. The expected HTTP status code in the response for this scenario is 400.
This behavior occurs because there is no branching logic that handles when an API version has not been specified and it is required, which results in a 404 response. Controller and actions selectors should handle this condition and return 400 when a route could match, but an API version has not been provided.