REST API - Should I return an error if request body has more information than needed?

Question

My current configuration limits the number of properties and size of the request body for every endpoint. Should I return an error if request body has more information than needed?

Let's say that /authenticate endpoint requires JSON body shown below:

{
  "login": "string";
  "password": "string";
}

and the user sends a request

{
  "login": "mylogin",
  "password": "mypassword",
  "foo": "bar"
}

Should REST API return an error in this case?

Answer 1

There are two options here:

1. Ignoring fields that don't affect request processing and cannot change it.

By default, most of JSON/XML parsers, filling an entity, skip fields that haven't been reflected in the model.

2. Strict field matching and returning the HTTP 422 UNPROCESSABLE ENTITY or 400 BAD REQUEST code.

You could have a list of all allowed fields for each endpoint to compare an incoming request with.

It depends on your API design and the style you want users to follow.