You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Supporting HTTP QUERY Method in express-zod-api
## Background: What Is HTTP QUERY?
The HTTP QUERY method is defined in **RFC 10008** (published June 2026,
Standards Track). In essence, QUERY is like GET but with a body. It is a
**safe and idempotent** request method that can carry request content —
a combination of properties that no existing standard HTTP method fully
satisfies.
QUERY requests that the target resource process the enclosed content
(the query) and respond with the result, without changing resource
state. The server uses the `Content-Type` to determine how to interpret
the body, and clients can discover QUERY support via the `Accept-Query`
response header.
**Key properties:**
| Property | QUERY | GET | POST |
|---|---|---|---|
| Safe | Yes | Yes | No |
| Idempotent | Yes | Yes | No |
| Can have body | Yes | No | Yes |
| Cacheable | Yes | Yes | With care |
| Request content in URI | Not required | Required | Not required |
## Why Use QUERY When GET and POST Already Exist?
### Problems with GET for queries
GET encodes the entire query in the URI. This has several drawbacks:
- **URI size limits** — many implementations (servers, proxies, CDNs)
cap URIs at ~8 KB, making complex queries impossible.
- **Encoding overhead** — binary data, complex filters, or structured
query languages must be URI-encoded, inflating size and reducing
readability.
- **Exposure** — URIs are more likely to be logged by intermediaries and
bookmarked by users, potentially leaking query details.
### Problems with POST for queries
POST is neither safe nor idempotent. Using it for queries means:
- **No safe retries** — intermediaries and clients cannot automatically
retry a POST on network failure, because the request might have mutated
state.
- **No caching** — POST responses are not cacheable by default, so
repeated identical queries cannot be served from a cache.
- **Semantic mismatch** — POST implies creation or mutation; using it
for read-only queries confuses tooling, monitoring, and human readers.
### How QUERY bridges the gap
QUERY is semantically a read operation (safe, idempotent, cacheable) but
with body support like POST. This makes it the natural choice for:
- Complex search/filter APIs (GraphQL, Elasticsearch, SQL-over-HTTP)
- APIs with large or structured query payloads
- Any read operation where the query exceeds URI size limits
- Safe operations that need content negotiation via `Content-Type`
## What Would It Take to Add QUERY Support?
### Current state
- **Node.js** (22.19+, 24.x, 26.x) already has `QUERY` in `http.METHODS`
— the parser accepts it.
- **Express 5.1.x** at runtime handles QUERY correctly via its
Layer-based routing — Express does not restrict which methods can be
routed.
- **Express types** (`@types/express-serve-static-core`) do not list
`query` on `IRouter`. This is a deliberate policy: Express adds type
entries only when the IETF method reaches sufficient maturity. (For
reference, Express also does not type `"query"` despite it being the
`?key=val` part of a URL — the name collision is coincidental.)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for the HTTP **QUERY** method (RFC 10008), including
typed client/endpoints and default input handling (query, body, and path
params).
* Documentation improvements for OpenAPI **3.2.0** (including SSE schema
handling) and enhanced security depiction (OAuth2 device authorization).
* **Bug Fixes**
* Improved routing initialization to validate **QUERY** registration and
raise clearer errors when unsupported.
* **Documentation**
* Updated generated docs/snapshots and example payload structure
(`value` → `dataValue`), and adjusted documentation constructor inputs
to `info` + `server`.
* **Tests**
* Expanded coverage for **QUERY** routing, extraction, typing, and
documentation output.
* **Chores**
* Updated server startup lifecycle to treat hooks as synchronous, and
removed the deprecated `Integration.create()` factory.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
0 commit comments