Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow requestBody for the DELETE method.

See original GitHub issue

I would like the specification to allow a requestBody in the DELETE method and other methods without explicitly defined semantics.

One of the answers in this StackOverflow post states: “The spec does not explicitly forbid or discourage it, so I would tend to say it is allowed.” I would agree with that statement.

Currently the OpenAPI spec says “The requestBody is only supported in HTTP methods where the HTTP 1.1 specification RFC7231 has explicitly defined semantics for request bodies.”

I think this should raise a notice, but not be unsupported and raise an error.

Addendum:

As I mentioned in a comment below, if you do choose to create a batch delete method on your API, whether or not anyone recommends it, make sure to check your cache settings and think about how these settings will interact with DELETE requests. Calling DELETE on /users with data [3,4] will not invalidate the cache for /users/3 or /users/4, so a GET request to either of them may return invalid data depending on cache settings. My comment below describes methods of mitigating this.

Issue Analytics

State:
Created 5 years ago
Reactions:73
Comments:21 (14 by maintainers)

Top GitHub Comments

42reactions

notEthancommented, Feb 19, 2019

@darrelmiller

While I understand the desire to be able to describe existing APIs that have less than ideal behavior, we have to balance that with opening the door for more people to create new APIs that make this same mistake because we allow it.

I wouldn’t expect people to creating APIs to constrain themselves by OpenAPI. when I create an API, first comes the needed functionality, and documenting it with OpenAPI or whatever tool I am using, that comes after. I wouldn’t worry about “opening the door” for unencouraged behavior as that’s not really OpenAPI’s door to hold.

I’m using OpenAPI to document an API that does use delete with a request body, and is not going to change. seems to me I should be able to describe this API with a valid OpenAPI document.

19reactions

n2ygkcommented, Apr 22, 2019

{json:api} explicitly defines a DELETE request body for updating to-many relationships and it has quite well-defined semantics: Remove only the supplied set of resource identifier objects from the (potentially larger) full list of related resource identifier objects.

I am unable to fully represent a {json:api} schema with OAS if it explicitly prohibits what RFC 7231 allows (as undefined but not prohibited). Please (re)consider allowing a request body for DELETE.