Issue: Request Body is not supported for DELETE but RFC 7231 doesn't forbid it

[anatoli26]

Subj. When defining a Request body for a DELETE method, the editor shows a new issue: "Request Body is not supported for DELETE operations. The HTTP specification only supports a body in the HTTP request for the POST, PUT, and OPTIONS methods. As a result, only these operations may define a Request Body input."

But the RFC 7231 (HTTP/1.1) actually says the following about the DELETE method (https://tools.ietf.org/html/rfc7231#section-4.3.5): A payload within a DELETE request message has no defined semantics; sending a payload body on a DELETE request might cause some existing implementations to reject the request. So, the request body is not forbidden for DELETE in HTTP/1.1 RFC, and RFC 5789 defines the body for PATCH.

[EricWittmann]

Yes, however the OpenAPI specification indicates this:

The request body applicable for this operation. The requestBody is only supported in HTTP methods where the HTTP 1.1 specification RFC7231 has explicitly defined semantics for request bodies. In other cases where the HTTP spec is vague, requestBody SHALL be ignored by consumers.

I was still a little on the fence about writing a validation rule based on the above language, but I think it's right.

That said, I'm in the process of designing and implementing a feature that will allow users to customize the severity level of every validation rule that Apicurio applies (and then eventually allow users to define their own rules). So in the near future you'll be able to set that specific rule to ignore and then you won't see it anymore. :)

[anatoli26]

Oh that's great! Thanks!

[jmini]

According to the PR pending in the OpenAPI Spec repository: OAI/OpenAPI-Specification#1937, requestBody will be allowed for DELETE operations.

Maybe you can reconsider?

[EricWittmann]

I think it's reasonable to re-open this in light of OAI/OpenAPI-Specification#1937 - but I think what should be done is that the validation rule should perhaps only apply to specs that are version 3.1.0 or greater. I'll have to give that some more thought, but it seems right.

wdyt?

[anatoli26]

wdyt?

I guess what you proposed before is even better:

That said, I'm in the process of designing and implementing a feature that will allow users to customize the severity level of every validation rule that Apicurio applies (and then eventually allow users to define their own rules). So in the near future you'll be able to set that specific rule to ignore and then you won't see it anymore.

I.e. there should be a way for users to override specification restrictions.

In any case, if we can have a DELETE with body in any way, it's an improvement no matter what.

[EricWittmann]

Oh well, that part is actually already done. Go here to configure a custom validation profile:

https://studio.apicur.io/settings/validation

You can then use that validation profile when editing your API specs:

[anatoli26]

Your dedication to this project is amazing! Thanks a lot!

[EricWittmann]

No problem. There are still some improvements to be made in this area, like how to figure out which of the validation rules corresponds with an error message you might see in the editor. I'd like to have a way to click on the error from the editor and navigate the user over to the validation settings for the active validation profile (or something like that, other suggestions welcome). But hopefully the current validation profile support is a good and useful start.

I have other plans for validation profiles, btw - like being able to assign a validation profile to certain actions in the UI. So for example you could create a validation profile and assign it to the "Generate Project" action, which would cause Apicurio to validate the API design against that specific validation profile before allowing the user to perform that action.