Return errors rather than panicking for callable APIs

[smklein]

No description provided.

[davepacheco]

Thanks for doing this! I was actually going to do this as well so that automated tests (e.g., for authn) could try calling all endpoints without crashing Nexus.

[davepacheco]

I only wonder whether this is ever what we would want to return to clients, or if we'd want this to be a 500?

[smklein]

I don't have a strong opinion - if you want me to fold it into 500, that's an easy change to make - but if this isn't the right use-case for 501, what is?

[davepacheco]

It may well be! I didn't know it existed. The only reason I ask is that it feels like TMI: if a customer sees it it's like we're telling them "not only is there a problem on our side here, but it's that we didn't notice we forgot to implement this". Doesn't really matter.

[smklein]

Actually, reading https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/501 a little closer:

If the server does recognize the method, but intentionally does not support it, the appropriate response is 405 Method Not Allowed.

I'll send back 405 instead.

[davepacheco]

I get why that technically sounds right, but 405 seems much worse to me. If a customer sees this, it's because we literally forgot to implement it, right? This isn't a client error.

[smklein]

Ack, switched to 500 then. I'm running out of error codes to try at this point 😁

[jmpesp]

If this is intended to represent todo! externally, I think it should be a 501 because that "implies future availability". 405 is "not supported" and unlikely to change (aka this endpoint does not accept PATCH).

We should keep 500 for actual server errors.

[davepacheco]

@smklein is this PR still valid?