OpenAPI 3.1 supports Body for DELETE method

[jsg91]

Describe the Bug

OpenAPI 3.1 supports Body for DELETE method, if condition in OpenApi.ps1 doesn't allow it:

Pode/src/Public/OpenApi.ps1

Line 814 in f8c51b7

if (('POST', 'PUT', 'PATCH') -inotcontains $r.Method ) {

Steps To Reproduce

Steps to reproduce the behavior:

1. Set up a DELETE API requiring a body
2. Start server
3. See error in ErrorLog

Expected Behavior

Should work, especially if Enable-PodeOpenApi -OpenApiVersion is defined as "3.1.0"

[mdaneri]

According to the OpenAPI 3.x specification, the request body is explicitly supported for POST, PUT, and PATCH methods, but not for GET, DELETE, or HEAD. This limitation isn’t just a constraint of OpenAPI—it’s based on the HTTP standards outlined in various RFCs, particularly RFC 7231.

While HTTP itself does not prohibit sending a body in GET or DELETE requests, RFC 7231 (which defines the semantics and content of HTTP methods) makes no provision for how servers should interpret or handle a body for these methods. As a result, behavior is inconsistent across different implementations, and many server frameworks either ignore or outright reject bodies for GET and DELETE requests.

The HTTP RFCs suggest that GET should retrieve resources, and DELETE should remove resources. Neither of these actions typically requires a body to define the action being performed, hence the lack of a formal specification supporting it. For example:

•	POST is used for creating resources and can have a complex request body.
•	PUT is used to update or replace a resource, which also requires a body to describe the new state of the resource.
•	PATCH allows partial updates and likewise depends on a body to specify the changes.

For DELETE, the common expectation is that the resource to be deleted is identified by the URL alone, without needing additional data in the body. Although some server implementations might permit bodies with DELETE requests, this is not standardized or recommended in the RFCs, leading to potential interoperability issues.

Thus, OpenAPI adheres to these guidelines to maintain compatibility across different servers and implementations, ensuring that request bodies are used only with methods where they are clearly defined by HTTP standards.

For more information, you can refer to the official OpenAPI documentation:
https://swagger.io/docs/specification/v3_0/describing-request-body/describing-request-body/

[jsg91]

From what I've seen, one should avoid using a Body for a DELETE. However, I have a requirement where the delete calls need a few more parameters than I want to put in the URL. For that very reason, probably OpenAPI allows it in their latest standard. Thus it's hindering in my case for Pode to not allow it

[mdaneri]

You can pass the body content as a JSON/YAML/XML header.
That is supported

[mdaneri]

Do you have a link that says Delete body is supported openapi?

[jsg91]

Do you have a link that says Delete body is supported openapi?

https://spec.openapis.org/oas/v3.1.0.html#operation-object under Field Name requestBody