What are suitable response codes and messages for:
- fields submitted the wrong way (URL parameters vs body) or missing fields
- fields getting invalid values (string instead of numbers, timestamp in future)
- some characters like
?, /break stuff in URL parameters - Actual failures: invalid credentials, repeating already-done action
At present, we use 400 for all.
Cases 1, 2 and 3 in your question are essentially syntactic errors in the request
=> 400 Bad Request
(RFC 2616 says: The request could not be understood by the server due to malformed syntax.)
As to case 4:
a. Invalid credentials
=> 401 Unauthorized
b. Repeating already-done action
=> 403 Forbidden
(The RFC says: The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.)
But then 409 Conflict and 410 Gone make sense when trying to modify stuff incorrectly (PUT) or accessing resources already deleted, respectively.
And here is RFC 2616 Section 10.