{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 欢心 的问题《REST standard for GET on a resource that doesn'》','https://www.manongdao.com/q-1336921.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
The resource /user/12345 doesn't exist. Lets say the consumer is trying different ids randomly. There is no authorization. Any user can view any user. In a broader sense, my question is "What should you return if you do a GET on a resource that doesn't exist?"
Should I return an empty user for an id that doesn't exist or should I return an error message with proper status code?
What is the typical/usual/recommended practice?
@Byron is right, return HTTP 404. You want to leverage all of the capabilities of HTTP, and these include response status codes. So if there is a client error, return a 4xx error code, and if your server code has an internal problem, return a 5xx error code, etc.
Richardson and Ruby's RESTful Web Services (O'Reilly) has a good discussion of this, and an appendix with all the most important HTTP error codes and when to use them.
A GET should only retrieve something that exists.
So I would return a 404.
My opinion: Return an empty 200.
Quite frankly, if a REST resource doesn't exist, it doesn't exist. That means return 404. In your case, however, 12345 is a parameter you are using to identify/lookup a return entity. Resource /user/{userId} does actually exist, so technically I don't believe it is proper to return a 404, although it's clear to see the argument for either side.
If you feel like returning two status codes exposes your system in some way, however, I'd say stick with an empty 200 OK.
That looks like a 404 error to me - resource not found.
If the user is authenticated and authorized, return 404. If the user is unauthenticated and unauthorized, send them to a page to get authorized.
Return 404 status code.