Are DELETE requests reversible?

Question

Are DELETE requests reversible?

Answer

DELETE is not like the trash bin in our computer, it is more like tearing and burning a page from a book, it is not a reversible action after the request has been sent, but depending on the purpose of the delete we can make “fire checks”, what do I mean by that?

let’s say we are creating an API server for our own app, and we will allow our user to request the deletion of their account on a single click of a button. Now, we all know that mistakes happen and either if our cat walked over the keyboard or if we mistakenly click on top of the button, it will be a total tragedy to lose whatever information that single mistake can destroy. In those cases, we would commonly set a two-step process authorization, if the button gets clicked, there will be a pop-up requesting further confirmation from the user that it is indeed the course of action that they want to take.

Regular APIs do not have that functionality (commonly), because if the developer using it has gone through the trouble to write a request with a DELETE method, ie:

fetch('http://localhost/expressions/3', {method: 'DELETE'});

then, they really want to delete that data, yet if we want to be very nice, or the type of data we are working with our API is sensitive or important, we could implement an internal two-step process in the function, like every time we receive a DELETE request to our endpoint, it will make a GET request for that data, and a POST request to a deleted storage where we can keep it for, let’s say, 30 days, and after those 30 days simply process a DELETE on that data. We could further let the user know that he has 30 days to recuperate the data if they needed to, and even further we can provide a save DELETE endpoint and a regular one so people can choose between:

DELETE http://localhost:4001/expressions/safe/:id

or

DELETE http://localhost:4001/expressions/:id

it will also mean that internally we will handle it differently on each endpoint, for example safe will have few more steps:
something like

...
const expressionIndex = getIndexById(req.params.id, expressions);
//we give the object a date where we want it to expire
expressionIndex.deleteDueDay = new Date().setDate(new Date().getDate()+30);
//and push it in our storage of deleted items
deletedExpressionsArray.push(expressionIndex);
//then we can delete the object from our expressions array
...

It is up to us to provide this options, but it is not necessary, DELETE is an irreversible request and is generally treated with care.

I have to kindly disagree with this whole article.

I, as a developer, have full control over what I am creating. If I want to make DELETE requests reversible - they will be. I don’t see how a given HTTP verb could dictate how my server application should behave.

There are many systems where it is common to have a soft delete as a default. In all business-related systems - CRM systems, ERP systems, HCM systems, etc… it would be a tragedy if the user could hard delete any of the data.

If this two-step process authorization is a functionality of the API then I have to ask how the API can dictate how the client (button, pop-up) should behave? This is out of our control and out of our responsibility.

The real question should be - are any requests reversible? And the answer should be - by default no. I would even state that it is much more common to make DELETE reversible than PUT - it is more common to implement soft delete than change history.

I think both perspectives are correct. If by default these HTTP methods are irreversible, isn’t it irreversible?

Moreover, the first individual who attempted to answer the question mentioned cases of working around this and providing functionality to ensure a hard delete is protected.

Hard deletes are necessary for legal purposes on certain data (check legal regulations). As for full control I would argue the company that employees you owns the software through contract (if signed and stated) and should be informed on how you intend to handle data.