SyntaxFix

[http] REST, HTTP DELETE and parameters

Is there anything non-RESTful about providing parameters to a HTTP DELETE request?


My scenario is that I'm modelling the "Are you sure you want to delete that?" scenario. In some cases, the state of the resource suggests that the requested delete may be invalid. You can probably imagine some scenarios yourself where confirmation of a delete is required

The solution we have adopted is to pass a parameter to the delete request to indicate that it's ok to proceed with the delete ("?force_delete=true")

e.g.

DELETE http://server/resource/id?force_delete=true

I believe that it's still restful since:

(a) The semantics of DELETE are not being changed - the user can still send a normal DELETE request but this may fail with 409 and the body of the response will explain why. I say may fail because (for reasons not worth explaining) on some occasions there is no reason to prompt the user.

(b) There's nothing in Roy's dissertation to suggest that it's against the spirit of REST - why would there be since HTTP is only one implementation of REST so why would passing HTTP parameters matter


Can someone point me at a definitive statement that nails the reason why this isn't RESTful?

On a related question, if the user does not specify force_delete then I'm returning 409 Conflict - is that the most appropriate response code?


Follow up

After some further research, I think that adding parameters to the DELETE may violate several principles.

The first is that the implementation possibly violates the "Uniform Interface" (see section 5.1.5 of Roy's dissertation

By adding 'force_delete' we're adding an additional constraint onto the already well defined DELETE method. This constraint is meaningful only to us.

You could also argue that it violate the "5.1.2 Client-Server" since the confirmation dialogue is really a UI concern and again not all clients will want to confirm deletion.

Suggestions anyone?

This question is related to http rest

The answer is

No, it is not RESTful. The only reason why you should be putting a verb (force_delete) into the URI is if you would need to overload GET/POST methods in an environment where PUT/DELETE methods are not available. Judging from your use of the DELETE method, this is not the case.

HTTP error code 409/Conflict should be used for situations where there is a conflict which prevents the RESTful service to perform the operation, but there is still a chance that the user might be able to resolve the conflict himself. A pre-deletion confirmation (where there are no real conflicts which would prevent deletion) is not a conflict per se, as nothing prevents the API from performing the requested operation.

As Alex said (I don't know who downvoted him, he is correct), this should be handled in the UI, because a RESTful service as such just processes requests and should be therefore stateless (i.e. it must not rely on confirmations by holding any server-side information about of a request).

Two examples how to do this in UI would be to:

  • pre-HTML5:* show a JS confirmation dialog to the user, and send the request only if the user confirms it
  • HTML5:* use a form with action DELETE where the form would contain only "Confirm" and "Cancel" buttons ("Confirm" would be the submit button)

(*) Please note that HTML versions prior to 5 do not support PUT and DELETE HTTP methods natively, however most modern browsers can do these two methods via AJAX calls. See this thread for details about cross-browser support.

Update (based on additional investigation and discussions):

The scenario where the service would require the force_delete=true flag to be present violates the uniform interface as defined in Roy Fielding's dissertation. Also, as per HTTP RFC, the DELETE method may be overridden on the origin server (client), implying that this is not done on the target server (service).

So once the service receives a DELETE request, it should process it without needing any additional confirmation (regardless if the service actually performs the operation).

In addition to Alex's answer:

Note that http://server/resource/id?force_delete=true identifies a different resource than http://server/resource/id. For example, it is a huge difference whether you delete /customers/?status=old or /customers/.

I think this is non-restful. I do not think the restful service should handle the requirement of forcing the user to confirm a delete. I would handle this in the UI.

Does specifying force_delete=true make sense if this were a program's API? If someone was writing a script to delete this resource, would you want to force them to specify force_delete=true to actually delete the resource?

It's an old question, but here are some comments...

  1. In SQL, the DELETE command accepts a parameter "CASCADE", which allows you to specify that dependent objects should also be deleted. This is an example of a DELETE parameter that makes sense, but 'man rm' could provide others. How would these cases possibly be implemented in REST/HTTP without a parameter?
  2. @Jan, it seems to be a well-established convention that the path part of the URL identifies a resource, whereas the querystring does not (at least not necessarily). Examples abound: getting the same resource but in a different format, getting specific fields of a resource, etc. If we consider the querystring as part of the resource identifier, it is impossible to have a concept of "different views of the same resource" without turning to non-RESTful mechanisms such as HTTP content negotiation (which can be undesirable for many reasons).

Source: Stackoverflow.com

Examples related to http

Access blocked by CORS policy: Response to preflight request doesn't pass access control check Axios Delete request with body and headers? Read response headers from API response - Angular 5 + TypeScript Android 8: Cleartext HTTP traffic not permitted Angular 4 HttpClient Query Parameters Load json from local file with http.get() in angular 2 Angular 2: How to access an HTTP response body? What is HTTP "Host" header? Golang read request body Angular 2 - Checking for server errors from subscribe

Examples related to rest

Access blocked by CORS policy: Response to preflight request doesn't pass access control check Returning data from Axios API Access Control Origin Header error using Axios in React Web throwing error in Chrome JSON parse error: Can not construct instance of java.time.LocalDate: no String-argument constructor/factory method to deserialize from String value How to send json data in POST request using C# How to enable CORS in ASP.net Core WebAPI RestClientException: Could not extract response. no suitable HttpMessageConverter found REST API - Use the "Accept: application/json" HTTP Header 'Field required a bean of type that could not be found.' error spring restful API using mongodb MultipartException: Current request is not a multipart request

Tags

Complement Ceiklabel Query-string Protocolexception Slimdx Windows-mobile-6.1 Joined-subclass Web-publishing Nunit-2.5 Javascript-injection Symbol-table Overlapping-matches Thawte Server-load Pyqt4 Client-side-templating Mkannotationview Move-constructor Pi-db Ilookup Sbt Squashfs Memoryanalyzer Asp.net-mvc-controller Informix Fragment-shader Resgen System-tables Perlvar Concurrent-programming Pylucene Basichttpbinding Meta-title Masstransit Jsr233 Open-source Xfbml Aspwizard User-defined-functions Eventargs Pac Debugbreak Satelliteforms Xrm Target-framework Meta-where Editing Cts Toolstripcontrolhost Cedet Embedding Gui-toolkit Multilingual Pdk Interruptions Formatting Datagridview Zlib Typeof Tablerowsorter Ps Rhapsody Biometrics Digital-logic Cgbitmapcontextcreate Statusstrip Runas Netui Cls-compliant Ie8-webslice Windows-update Dynamic-execution Rosetta Sigint Locationmanager Ncover Isabout Guidance-automation-tool Fsockopen Dynamic Emailfield Open-uri Microsoft-dynamics 3dsmax Zend-feed Refactorpro Toolstripitem Boost-spirit Eventtrigger Java-3d Overlayitem Igmp Firefox3.5 Textrenderer Mod-security Fixed-length-file Webpage-screenshot Setjmp Html-help Magic-methods