Fix Sonarqube warnings

pulk17 · pulk17 · commit d8eada243f5d · 2026-06-08T15:46:15.000+05:30
diff --git a/mod_api/middleware/auth.py b/mod_api/middleware/auth.py
@@ -19,13 +19,21 @@
 from mod_api.middleware.error_handler import make_error_response
 from mod_api.models.api_token import ApiToken
 
+# Reused across every 401 response to keep the message consistent.
+_AUTH_FAILED_MSG = 'Bearer token is missing, expired, or invalid.'
+
 # These endpoints bypass auth entirely.
 _PUBLIC_ENDPOINTS = frozenset([
     'api.create_token',       # POST /auth/tokens (uses email/password body)
     'api.system_health',      # GET /system/health (uptime monitoring)
 ])
 
 
+def _unauthorized():
+    """Shorthand for a 401 response with the standard auth failure message."""
+    return make_error_response('unauthorized', _AUTH_FAILED_MSG, http_status=401)
+
+
 @mod_api.before_request
 def authenticate_request():
     """Validate Bearer token and attach user context to the request."""
@@ -36,38 +44,22 @@ def authenticate_request():
 
     auth_header = request.headers.get('Authorization', '')
     if not auth_header:
-        return make_error_response(
-            'unauthorized',
-            'Bearer token is missing, expired, or invalid.',
-            http_status=401,
-        )
+        return _unauthorized()
 
     parts = auth_header.split(' ', 1)
     if len(parts) != 2 or parts[0] != 'Bearer':
-        return make_error_response(
-            'unauthorized',
-            'Bearer token is missing, expired, or invalid.',
-            http_status=401,
-        )
+        return _unauthorized()
 
     token_value = parts[1].strip()
     if not token_value or not token_value.startswith('spci_'):
-        return make_error_response(
-            'unauthorized',
-            'Bearer token is missing, expired, or invalid.',
-            http_status=401,
-        )
+        return _unauthorized()
 
     # Look up by prefix, then verify the full hash against each candidate.
     prefix = ApiToken.extract_prefix(token_value)
     candidates = ApiToken.query.filter_by(token_prefix=prefix).all()
 
     if not candidates:
-        return make_error_response(
-            'unauthorized',
-            'Bearer token is missing, expired, or invalid.',
-            http_status=401,
-        )
+        return _unauthorized()
 
     matched_token = None
     for candidate in candidates:
@@ -76,18 +68,10 @@ def authenticate_request():
             break
 
     if matched_token is None:
-        return make_error_response(
-            'unauthorized',
-            'Bearer token is missing, expired, or invalid.',
-            http_status=401,
-        )
+        return _unauthorized()
 
     if not matched_token.is_valid:
-        return make_error_response(
-            'unauthorized',
-            'Bearer token is missing, expired, or invalid.',
-            http_status=401,
-        )
+        return _unauthorized()
 
     g.api_token = matched_token
     g.api_user = matched_token.user
@@ -100,11 +84,7 @@ def decorator(f):
         def decorated_function(*args, **kwargs):
             token = getattr(g, 'api_token', None)
             if token is None:
-                return make_error_response(
-                    'unauthorized',
-                    'Bearer token is missing, expired, or invalid.',
-                    http_status=401,
-                )
+                return _unauthorized()
             if not token.has_scope(scope):
                 return make_error_response(
                     'forbidden',
@@ -127,11 +107,7 @@ def decorator(f):
         def decorated_function(*args, **kwargs):
             user = getattr(g, 'api_user', None)
             if user is None:
-                return make_error_response(
-                    'unauthorized',
-                    'Bearer token is missing, expired, or invalid.',
-                    http_status=401,
-                )
+                return _unauthorized()
             if user.role.value not in roles:
                 return make_error_response(
                     'forbidden',
diff --git a/mod_api/middleware/error_handler.py b/mod_api/middleware/error_handler.py
@@ -14,6 +14,10 @@
 
 from mod_api import mod_api
 
+# All error handlers check this prefix before intercepting — non-API
+# routes (the legacy web UI) should still get their HTML error pages.
+_API_PREFIX = '/api/v1'
+
 
 def make_error_response(code, message, details=None, http_status=400):
     """Build a JSON error response conforming to the ErrorResponse schema."""
@@ -27,10 +31,15 @@ def make_error_response(code, message, details=None, http_status=400):
     return response
 
 
+def _is_api_request():
+    """Check whether the current request targets an API endpoint."""
+    return request.path.startswith(_API_PREFIX)
+
+
 @mod_api.app_errorhandler(400)
 def handle_400(error):
     """Bad request."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'validation_error',
@@ -42,7 +51,7 @@ def handle_400(error):
 @mod_api.app_errorhandler(401)
 def handle_401(error):
     """Unauthorized."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'unauthorized',
@@ -54,7 +63,7 @@ def handle_401(error):
 @mod_api.app_errorhandler(403)
 def handle_403(error):
     """Forbidden."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'forbidden',
@@ -66,7 +75,7 @@ def handle_403(error):
 @mod_api.app_errorhandler(404)
 def handle_404(error):
     """Not found."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'not_found',
@@ -78,7 +87,7 @@ def handle_404(error):
 @mod_api.app_errorhandler(405)
 def handle_405(error):
     """Method not allowed."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'method_not_allowed',
@@ -90,7 +99,7 @@ def handle_405(error):
 @mod_api.app_errorhandler(422)
 def handle_422(error):
     """Unprocessable entity."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'unprocessable',
@@ -102,7 +111,7 @@ def handle_422(error):
 @mod_api.app_errorhandler(429)
 def handle_429(error):
     """Rate limited."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'rate_limited',
@@ -115,7 +124,7 @@ def handle_429(error):
 @mod_api.app_errorhandler(500)
 def handle_500(error):
     """Internal server error."""
-    if not request.path.startswith('/api/v1'):
+    if not _is_api_request():
         raise error
     return make_error_response(
         'internal_error',
diff --git a/mod_api/middleware/validation.py b/mod_api/middleware/validation.py
@@ -35,6 +35,13 @@ def validate_body(schema_class):
     def decorator(f):
         @wraps(f)
         def decorated(*args, **kwargs):
+            content_type = request.content_type or ''
+            if 'application/json' not in content_type:
+                return make_error_response(
+                    'validation_error',
+                    'Content-Type must be application/json.',
+                    http_status=415,
+                )
             json_data = request.get_json(silent=True)
             if json_data is None:
                 return make_error_response(
