Skip to content

[5.x] API Exception Renderer logs 4xx client errors (401, 404) as CRITICAL #45800

New issue
New issue
Closed
Closed
[5.x] API Exception Renderer logs 4xx client errors (401, 404) as CRITICAL#45800
Labels
No Code Attached YetWebservices
@MarcelSchuermann

Description

@MarcelSchuermann
MarcelSchuermann
opened on Jul 28, 2025

Steps to reproduce the issue

  1. Set up a standard Joomla 5 instance with the API application enabled.
  2. Ensure error logging is enabled in the global configuration.
  3. Make an API request to a non-existent endpoint (e.g., GET /api/index.php/v1/nonexistent/route).
  4. Make an API request to a valid endpoint that requires authentication, but provide an invalid or no Authorization header.

Expected result

The API correctly returns a 404 Not Found or 401 Unauthorized response. The Joomla error log should either not contain an entry for this event, or it should be logged at a lower severity level like INFO or NOTICE. The CRITICAL log level should be reserved for unexpected 5xx-level server failures.

Actual result

The API returns the correct 404 or 401 response, but a CRITICAL error is written to the log file for each request. This fills the logs with noise from routine, expected client errors, making it difficult to identify genuine server-side failures.

Example log entry:
CRITICAL ::1 error Uncaught Throwable of type Joomla\CMS\Router\Exception\RouteNotFoundException thrown with message "Unable to handle request for route...".

System information (as much as possible)

  • Joomla! version: 5.3.2
  • PHP version: 8.3
  • API Application (api/index.php)

Additional comments

The default Joomla\CMS\Exception\Renderer\JsonapiRenderer treats all exceptions passed to it as severe errors. This behavior is problematic for API applications where client-side errors (like invalid tokens, incorrect URLs, or permission issues) are common and expected operational events.

A more robust logging strategy would be for the renderer to inspect the type of exception. If the exception is a known client-side error type (e.g., RouteNotFoundException, AuthenticationFailed, NotAllowed), it should be logged at a lower severity. If it's a generic \Exception or \Throwable, it should be logged as CRITICAL as is currently the case.

This change would significantly improve the developer experience and the utility of logs for any site making heavy use of the Joomla API, without changing the "safe by default" handling of truly unknown errors.

Related to #45781

Metadata

Metadata

Assignees

No one assigned

    Labels

    No Code Attached YetWebservices

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions