Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#45800] - [5.x] API Exception Renderer logs 4xx client errors (401, 404) as CRITICAL

No Code Attached Yet
avatar MarcelSchuermann
MarcelSchuermann
28 Jul 2025

Steps to reproduce the issue

  1. Set up a standard Joomla 5 instance with the API application enabled.
  2. Ensure error logging is enabled in the global configuration.
  3. Make an API request to a non-existent endpoint (e.g., GET /api/index.php/v1/nonexistent/route).
  4. Make an API request to a valid endpoint that requires authentication, but provide an invalid or no Authorization header.

Expected result

The API correctly returns a 404 Not Found or 401 Unauthorized response. The Joomla error log should either not contain an entry for this event, or it should be logged at a lower severity level like INFO or NOTICE. The CRITICAL log level should be reserved for unexpected 5xx-level server failures.

Actual result

The API returns the correct 404 or 401 response, but a CRITICAL error is written to the log file for each request. This fills the logs with noise from routine, expected client errors, making it difficult to identify genuine server-side failures.

Example log entry:
CRITICAL ::1 error Uncaught Throwable of type Joomla\CMS\Router\Exception\RouteNotFoundException thrown with message "Unable to handle request for route...".

System information (as much as possible)

  • Joomla! version: 5.3.2
  • PHP version: 8.3
  • API Application (api/index.php)

Additional comments

The default Joomla\CMS\Exception\Renderer\JsonapiRenderer treats all exceptions passed to it as severe errors. This behavior is problematic for API applications where client-side errors (like invalid tokens, incorrect URLs, or permission issues) are common and expected operational events.

A more robust logging strategy would be for the renderer to inspect the type of exception. If the exception is a known client-side error type (e.g., RouteNotFoundException, AuthenticationFailed, NotAllowed), it should be logged at a lower severity. If it's a generic \Exception or \Throwable, it should be logged as CRITICAL as is currently the case.

This change would significantly improve the developer experience and the utility of logs for any site making heavy use of the Joomla API, without changing the "safe by default" handling of truly unknown errors.

Related to #45781

avatar MarcelSchuermann MarcelSchuermann - open - 28 Jul 2025
avatar joomla-cms-bot joomla-cms-bot - change - 28 Jul 2025
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 28 Jul 2025

Add a Comment

Login with GitHub to post a comment