Skip to content

Remove unreachable req.body fallback from delete controller #257

New issue
New issue
Open
Open
Remove unreachable req.body fallback from delete controller#257
@thehabes

Description

@thehabes
thehabes
opened on Mar 24, 2026

Summary

In controllers/delete.js:27, the deleteObj controller has a fallback path that attempts to extract an ID from req.body when req.params._id is missing:

id = req.params["_id"] ?? parseDocumentID(JSON.parse(JSON.stringify(req.body))["@id"]) ?? parseDocumentID(JSON.parse(JSON.stringify(req.body))["id"])

This code is unreachable for two reasons:

  1. The route always requires :_idroutes/delete.js defines DELETE /:_id, so req.params._id is always present when this handler runs.
  2. DELETE requests don't carry bodies — The controller's own comments acknowledge this (lines 13, 17): "XHR does not support DELETE with body" and "Note this is not v1/api/delete, that is not possible (XHR does not support DELETE with body)".

Suggested Fix

Remove the req.body fallback and simplify the ID extraction. The try/catch around it can also be simplified since req.params._id is guaranteed by the route.

Found During

Code review of PR #255 (Content-Type validation).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions