v3.3 Errors Handling

API Platform comes with a powerful error system. It handles expected (such as faulty JSON documents sent by the client or validation errors) as well as unexpected errors (PHP exceptions and errors). API Platform automatically sends the appropriate HTTP status code to the client: 400 for expected errors, 500 for unexpected ones. It also provides a description of the error in the Hydra error format or in the format described in the RFC 7807, depending of the format selected during the content negotiation.

# Backward compatibility with < 3.1

Use the following configuration:

api_platform:
    defaults:
        extra_properties:
            rfc_7807_compliant_errors: false

This can also be configured on an ApiResource or in an HttpOperation, for example:

#[ApiResource(extraProperties: ['rfc_7807_compliant_errors' => false])

# Exception status code decision

There are many ways of configuring the exception status code we recommend reading the guides on how to use an Error Provider or create an Error Resource.

  1. we look at exception_to_status and take one if there’s a match
  2. If your exception is a Symfony\Component\HttpKernel\Exception\HttpExceptionInterface we get its status.
  3. If the exception is a ApiPlatform\Metadata\Exception\ProblemExceptionInterface and there is a status we use it
  4. Same for ApiPlatform\Metadata\Exception\HttpExceptionInterface
  5. We have some defaults Symfony\Component\HttpFoundation\Exception\RequestExceptionInterface => 400 and ApiPlatform\Validator\Exception\ValidationException => 422
  6. the status defined on an ErrorResource
  7. 500 is the fallback

# Exception to status

The framework also allows you to configure the HTTP status code sent to the clients when custom exceptions are thrown on an API Platform resource operation.

In the following example, we throw a domain exception from the business layer of the application and configure API Platform to convert it to a 404 Not Found error:

<?php
// api/src/Exception/ProductNotFoundException.php
namespace App\Exception;

final class ProductNotFoundException extends \Exception
{
    // ...
}
<?php
// api/src/EventSubscriber/ProductManager.php
namespace App\EventSubscriber;

use ApiPlatform\EventListener\EventPriorities;
use App\Entity\Product;
use App\Exception\ProductNotFoundException;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\ViewEvent;
use Symfony\Component\HttpKernel\KernelEvents;

final class ProductManager implements EventSubscriberInterface
{
    public static function getSubscribedEvents(): array
    {
        return [
            KernelEvents::VIEW => ['checkProductAvailability', EventPriorities::PRE_VALIDATE],
        ];
    }

    public function checkProductAvailability(ViewEvent $event): void
    {
        $product = $event->getControllerResult();
        if (!$product instanceof Product || !$event->getRequest()->isMethodSafe(false)) {
            return;
        }

        if (!$product->isPubliclyAvailable()) {
            // Using internal codes for a better understanding of what's going on
            throw new ProductNotFoundException(sprintf('The product "%s" does not exist.', $product->getId()));
        }
    }
}

If you use the standard distribution of API Platform, this event listener will be automatically registered. If you use a custom installation, learn how to register listeners.

Then, configure the framework to catch App\Exception\ProductNotFoundException exceptions and convert them into 404 errors:

# config/packages/api_platform.yaml
api_platform:
    # ...
    exception_to_status:
        # The 4 following handlers are registered by default, keep those lines to prevent unexpected side effects
        Symfony\Component\Serializer\Exception\ExceptionInterface: 400 # Use a raw status code (recommended)
        ApiPlatform\Exception\InvalidArgumentException: !php/const Symfony\Component\HttpFoundation\Response::HTTP_BAD_REQUEST
        ApiPlatform\ParameterValidator\Exception\ValidationExceptionInterface: 400
        Doctrine\ORM\OptimisticLockException: 409

        # Validation exception
        ApiPlatform\Validator\Exception\ValidationException: !php/const Symfony\Component\HttpFoundation\Response::HTTP_UNPROCESSABLE_ENTITY

        # Custom mapping
        App\Exception\ProductNotFoundException: 404 # Here is the handler for our custom exception

Any type of Exception can be thrown, API Platform will convert it to a Symfony’s HttpException (note that it means the exception will be flattened and lose all of its custom properties). The framework also takes care of serializing the error description according to the request format. For instance, if the API should respond in JSON-LD, the error will be returned in this format as well:

GET /products/1234

{
  "@context": "/contexts/Error",
  "@type": "Error",
  "hydra:title": "An error occurred",
  "hydra:description": "The product \"1234\" does not exist."
}

# Message Scope

Depending on the status code you use, the message may be replaced with a generic one in production to avoid leaking unwanted information. If your status code is >= 500 and < 600, the exception message will only be displayed in debug mode (dev and test). In production, a generic message matching the status code provided will be shown instead. If you are using an unofficial HTTP code, a general message will be displayed.

In any other cases, your exception message will be sent to end users.

# Fine-grained Configuration

The exceptionToStatus configuration can be set on resources and operations:

<?php
// api/src/Entity/Book.php
namespace App\Entity;

use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Get;
use ApiPlatform\Metadata\GetCollection;
use ApiPlatform\Metadata\Post;
use App\Exception\ProductWasRemovedException;
use App\Exception\ProductNotFoundException;

#[ApiResource(
    exceptionToStatus: [ProductNotFoundException::class => 404]
    operations: [
        new Get(exceptionToStatus: [ProductWasRemovedException::class => 410]),
        new GetCollection(),
        new Post()
    ]
)]
class Book
{
    // ...
}

Exceptions mappings defined on operations take precedence over mappings defined on resources, which take precedence over the global config.

# Control your exceptions

With rfc_7807_compliant_errors a few things happen. First Hydra exception are compatible with the JSON Problem specification. Default exception that are handled by API Platform in JSON will be returned as application/problem+json.

To customize the API Platform response, replace the api_platform.state.error_provider with your own provider:

<?php

namespace App\State;

use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ApiResource\Error;
use ApiPlatform\State\ProviderInterface;
use Symfony\Component\DependencyInjection\Attribute\AsAlias;
use Symfony\Component\DependencyInjection\Attribute\AsTaggedItem;

#[AsAlias('api_platform.state.error_provider')]
#[AsTaggedItem('api_platform.state.error_provider')]
final class ErrorProvider implements ProviderInterface
{
    public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
    {
        $request = $context['request'];
        $format = $request->getRequestFormat();
        $exception = $request->attributes->get('exception');

        /** @var \ApiPlatform\Metadata\HttpOperation $operation */
        $status = $operation->getStatus() ?? 500;
        // You don't have to use this, you can use a Response, an array or any object (preferably a resource that API Platform can handle).
        $error = Error::createFromException($exception, $status);

        // care about hiding informations as this can be a security leak
        if ($status >= 500) {
            $error->setDetail('Something went wrong');
        }
        
        return $error;
    }
}
    api_platform.state.error_provider:
        class: 'App\State\ErrorProvider'
        tags: 
            - key: 'api_platform.state.error_provider'
              name: 'api_platform.state_provider'

Note that our validation exception have their own error provider at:

api_platform.validator.state.error_provider:
    tags: 
        - key: 'api_platform.validator.state.error_provider'
          name: 'api_platform.state_provider'

# Domain exceptions

Another way of having full control over domain exceptions is to create your own Error resource:

<?php

namespace App\ApiResource;

use ApiPlatform\Metadata\ErrorResource;
use ApiPlatform\Metadata\Exception\ProblemExceptionInterface;

#[ErrorResource]
class Error extends \Exception implements ProblemExceptionInterface
{
    public function getType(): string
    {
        return 'teapot';
    }

    public function getTitle(): ?string
    {
        return null;
    }

    public function getStatus(): ?int
    {
        return 418;
    }

    public function getDetail(): ?string
    {
        return 'I am teapot';
    }

    public function getInstance(): ?string
    {
        return null;
    }
}

We recommend using the \ApiPlatform\Metadata\Exception\ProblemExceptionInterface and the \ApiPlatform\Metadata\Exception\HttpExceptionInterface. For security reasons we add: normalizationContext: ['ignored_attributes' => ['trace', 'file', 'line', 'code', 'message', 'traceAsString']] because you usually don’t want these. You can override this context value if you want.

You can also help us improve the documentation of this page.

Made with love by

Les-Tilleuls.coop can help you design and develop your APIs and web projects, and train your teams in API Platform, Symfony, Next.js, Kubernetes and a wide range of other technologies.

Learn more

Copyright © 2023 Kévin Dunglas

Sponsored by Les-Tilleuls.coop