PATCH (HTTP)
HTTP |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
In computing, the PATCH method is a request method in HTTP for making partial changes to an existing resource.[1] The PATCH method provides an entity containing a list of changes to be applied to the resource requested using the HTTP Uniform Resource Identifier (URI).[1] The list of changes are supplied in the form of a PATCH document.[1] If the requested resource does not exist then the server may create the resource depending on the PATCH document media type and permissions.[1] The changes described in the PATCH document must be semantically well defined but can have a different media type than the resource being patched.[2] Languages such as XML or JSON can be used in describing the changes in the PATCH document.
History of PATCH
[edit]As per the semantics defined in the HTTP protocol, the GET, PUT, and POST methods need to use a full representation of the resource. The PUT method which can be used for resource creation or replacement is idempotent and can be used only for full updates. The edit forms used in conventional Ruby on Rails application need to create new resources by applying partial updates to a parent resource. Due to this requirement, the PATCH method was added to the HTTP protocol in 2010.[3][4]
PUT vs PATCH vs POST
[edit]HTTP is the foundation of data communication for the World Wide Web. It is a request-response protocol which helps users communicate with the server to perform CRUD operations. HTTP defines a number of request methods such as PUT, POST and PATCH to create or update resources.[5]
The main difference between the PUT and PATCH[6] method is that the PUT method uses the request URI to supply a modified version of the requested resource which replaces the original version of the resource, whereas the PATCH method supplies a set of instructions to modify the resource. If the PATCH document is larger than the size of the new version of the resource sent by the PUT method then the PUT method is preferred.[1]
The POST method can be used for sending partial updates to a resource. The main difference between the POST and PATCH methods is that the POST method can be used only when it is written to support the applications or the applications support its semantics whereas the PATCH method can be used in a generic way and does not require application support. If the outcome of using the PATCH method is not known then the POST method is preferred.[1][7]
Patching resources
[edit]The PATCH method is atomic.[1] Either all the changes specified by the PATCH method are applied or none of the changes are applied by the server.[1] There are many ways of checking whether a patch was applied successfully. For example, the 'diff' utility can be applied to the older version and newer version of a file to find the differences between them.[1]
A cached PATCH response is considered stale. It can only be used for the GET and HEAD requests that may follow the PATCH request.[1]
The entity headers in the PATCH document are only applicable to the PATCH document and cannot be applied to the requested resource.[1]
There is no standard format for the PATCH document and it is different for different types of resources. The server has to check whether the PATCH document received is appropriate for the requested resource.[1]
A JSON Patch document would look like
[ { "op": "add", "path": "/count", "value": 1 } ]
"op" represents the operation performed on the resource. "path" represents the resource being modified. "value" represents the amount being added to the existing resource.[8] Before applying the changes in the PATCH document, the server has to check whether the PATCH document received is appropriate for the requested resource. If the PATCH request succeeds then it returns a 204 response.[9]
A XML PATCH document would look like
<add sel="doc/user[@email='[email protected]']" type="@address"> ABC Road </add>
The element <user> is located using the 'email' attribute. A new attribute 'address' with the value "ABC Road" is added to the <user> element.[10]
Example
[edit]A simple PATCH request example
PATCH /example.txt HTTP/1.1
Host: www.example.com Content-Type: application/example If-Match: "c0b42b66e" Content-Length: 120 [Changes: the patch document containing all the changes that need to be made on the resource example.txt]
Successful PATCH response to existing text file:
HTTP/1.1 204 No Content
Content-Location: /example.txt ETag: "dd541480"
The response 204 means that the request was processed successfully.[11]
Trade-offs between PUT and PATCH
[edit]Using the PUT method consumes more bandwidth as compared to the PATCH method when only a few changes need to be applied to a resource.[citation needed] But when the PATCH method is used, it usually involves fetching the resource from the server, comparing the original and new files, creating and sending a diff file. On the server side, the server has to read the diff file and make the modifications. This involves a lot of overhead compared to the PUT method.[12] On the other hand, the PUT method requires a GET to be performed before the PUT and it is difficult to ensure that the resource is not modified between the GET and PUT requests.
Caution
[edit]The PATCH method is not "safe" in the sense of RFC 2616: it may modify resources, not necessarily limited to those mentioned in the URI.[1]
The PATCH method is not idempotent. It can be made idempotent by using a conditional request.[1] When a client makes a conditional request to a resource, the request succeeds only if the resource has not been updated since the client last accessed that resource. This also helps in preventing corruption of the resource since some updates to a resource can only be performed starting from a certain base point.[1]
Error handling
[edit]A PATCH request can fail if any of the following errors occur:
Malformed patch document
[edit]The server returns a 400 (Bad request) response if the PATCH document is not formatted as required.[1]
Unsupported patch document
[edit]The server returns a 415 (Unsupported Media Type) response with an Accept-Patch response header containing supported media types when the client sends a patch document in a format not implemented by the server. This informs the client that the PATCH document sent by the client cannot be applied to the requested resource.[1]
Unprocessable request
[edit]The server returns a 422 (Unprocessable Entity) response when the server understands the PATCH document but is unable to modify the requested resource either because it causes the resource to become invalid or it results in some other error state.[1]
Resource not found
[edit]The server returns a 404 (Not Found) response when the PATCH document cannot be applied to a non-existent resource.[1]
Conflicting state
[edit]The server returns a 409 (Conflict) response when the server cannot apply a patch for the current state of the resource.[1]
Conflicting modification
[edit]The server returns a 412 (Precondition Failed) response when the precondition supplied by the client using the If-Match or If-Unmodified-Since header fails. If no precondition is supplied and there is a conflicting modification then the server returns a 409 (Conflict) response.[1]
Concurrent modification
[edit]The server returns a 409 (Conflict) response if the PATCH requests to a certain resource need to be applied in a certain order and the server is not able to handle concurrent PATCH requests.[1]
Security considerations
[edit]The PATCH request needs to use mechanisms such as conditional requests using Etags and the If-Match request header to ensure that data is not corrupted while patching.[1] In case of a failure of a PATCH request or failure of the channel or a timeout, the client can use a GET request to check the state of the resource.[1] The server has to ensure that malicious clients do not use the PATCH method for consuming excessive server resources.[1]
References
[edit]- ^ a b c d e f g h i j k l m n o p q r s t u v w x y Dusseault, L.; Snell, J. (2010). "PATCH Method for HTTP". doi:10.17487/RFC5789. S2CID 42062521. Retrieved 2015-09-12.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "Don't Patch Like An Idiot". Don't Patch Like An Idiot. 14 February 2014. Retrieved 16 September 2015.
- ^ RFC 5789
- ^ "History of PATCH". weblog.rubyonrails.org. Retrieved 25 September 2015.
- ^ "Hypertext Transfer Protocol -- HTTP/1.1". Retrieved 13 September 2015.
- ^ "What is the Difference Between PUT and PATCH?". www.abstractapi.com. Retrieved 2024-10-30.
- ^ "Why PATCH is Good for Your HTTP API". Why PATCH is Good for Your HTTP API. Retrieved 16 September 2015.
- ^ "JSON Patch - draft-ietf-appsawg-json-patch-08". Ietf Datatracker. Retrieved 13 September 2015.
- ^ "PATCH". MDN Web Docs. Retrieved 2018-10-11.
- ^ Urpalainen, J. (2008). "XML RFC". tools.ietf.org. doi:10.17487/RFC5261. Retrieved 25 September 2015.
- ^ "PATCH". MDN Web Docs. Retrieved 2018-10-12.
- ^ Darren (7 May 2014). "REST API Best Practices 3: Partial Updates - PATCH vs PUT". www.blogger.com. Retrieved 13 September 2015.