Summary
In controllers/delete.js:27, the deleteObj controller has a fallback path that attempts to extract an ID from req.body when req.params._id is missing:
id = req.params["_id"] ?? parseDocumentID(JSON.parse(JSON.stringify(req.body))["@id"]) ?? parseDocumentID(JSON.parse(JSON.stringify(req.body))["id"])
This code is unreachable for two reasons:
- The route always requires
:_id — routes/delete.js defines DELETE /:_id, so req.params._id is always present when this handler runs.
- DELETE requests don't carry bodies — The controller's own comments acknowledge this (lines 13, 17):
"XHR does not support DELETE with body" and "Note this is not v1/api/delete, that is not possible (XHR does not support DELETE with body)".
Suggested Fix
Remove the req.body fallback and simplify the ID extraction. The try/catch around it can also be simplified since req.params._id is guaranteed by the route.
Found During
Code review of PR #255 (Content-Type validation).
Summary
In
controllers/delete.js:27, thedeleteObjcontroller has a fallback path that attempts to extract an ID fromreq.bodywhenreq.params._idis missing:This code is unreachable for two reasons:
:_id—routes/delete.jsdefinesDELETE /:_id, soreq.params._idis always present when this handler runs."XHR does not support DELETE with body"and"Note this is not v1/api/delete, that is not possible (XHR does not support DELETE with body)".Suggested Fix
Remove the
req.bodyfallback and simplify the ID extraction. Thetry/catcharound it can also be simplified sincereq.params._idis guaranteed by the route.Found During
Code review of PR #255 (Content-Type validation).