refactor how Content-Type headers are checked

Author: thehabes

controllers/utils.js

@@ -5,7 +5,6 @@
  * @author Claude Sonnet 4, cubap, thehabes
  */
 import { newID, isValidID, db } from '../database/index.js'
-import utils from '../utils.js'
 
 const ObjectID = newID
 

rest.js

@@ -27,26 +27,71 @@ const checkPatchOverrideSupport = function (req, res) {
 }
 
 /**
- * Middleware to validate Content-Type headers.
- * Ensures that requests carrying bodies have an appropriate Content-Type before
- * reaching controllers, preventing unhandled errors from unparsed or mis-parsed bodies.
+ * Middleware to validate JSON Content-Type headers for endpoints recieving JSON bodies.
  *
- * - Skips validation for methods that don't carry bodies (GET, HEAD, OPTIONS, DELETE)
- * - Skips validation for endpoints that don't carry bodies (/release)
- * - Allows text/plain for /search endpoints (which accept plain text search terms)
- * - Requires application/json or application/ld+json for all other write endpoints
- * - Returns 415 for missing or unsupported Content-Type
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const jsonContent = function (req, res, next) {
+    const contentType = (req.get("Content-Type") ?? "").toLowerCase()
+    const mimeType = contentType.split(";")[0].trim()
+    if (!mimeType) {
+        return next(createExpressError({
+            statusCode: 415,
+            statusMessage: `Missing or empty Content-Type header.`
+        }))
+    }
+    if (contentType.includes(",")) {
+        return next(createExpressError({
+            statusCode: 415,
+            statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
+        }))
+    }
+    if (mimeType === "application/json" || mimeType === "application/ld+json") return next()
+    return next(createExpressError({
+        statusCode: 415,
+        statusMessage: `Unsupported Content-Type: ${contentType}. This endpoint requires application/json or application/ld+json.`
+    }))
+}
+
+/**
+ * Middleware to validate Content-Type headers for endpoints recieving textual bodies.
  *
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
  * @param {Function} next - Express next middleware function
  */
-const SKIP_CONTENT_TYPE_METHODS = ["GET", "HEAD", "OPTIONS", "DELETE"]
-const validateContentType = function (req, res, next) {
-    const isReleaseEndpoint = req.path === "/release" || req.path.startsWith("/release/")
-    if (SKIP_CONTENT_TYPE_METHODS.includes(req.method) || isReleaseEndpoint) {
-        return next()
+const textContent = function (req, res, next) {
+    const contentType = (req.get("Content-Type") ?? "").toLowerCase()
+    const mimeType = contentType.split(";")[0].trim()
+    if (!mimeType) {
+        return next(createExpressError({
+            statusCode: 415,
+            statusMessage: `Missing or empty Content-Type header.`
+        }))
+    }
+    if (contentType.includes(",")) {
+        return next(createExpressError({
+            statusCode: 415,
+            statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
+        }))
     }
+    if (mimeType === "text/plain") return next()
+    return next(createExpressError({
+        statusCode: 415,
+        statusMessage: `Unsupported Content-Type: ${contentType}. This endpoint requires text/plain.`
+    }))
+}
+
+/**
+ * Middleware to validate Content-Type headers for endpoints recieving either JSON or textual bodies.
+ *
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const eitherContent = function (req, res, next) {
     const contentType = (req.get("Content-Type") ?? "").toLowerCase()
     const mimeType = contentType.split(";")[0].trim()
     if (!mimeType) {
@@ -61,13 +106,10 @@ const validateContentType = function (req, res, next) {
             statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
         }))
     }
-    if (mimeType === "application/json" || mimeType === "application/ld+json") return next()
-    const isSearchEndpoint = req.path === "/search" || req.path.startsWith("/search/")
-    if (mimeType === "text/plain" && isSearchEndpoint) return next()
-    const acceptedTypes = `application/json or application/ld+json${isSearchEndpoint ? ' or text/plain' : ''}`
+    if (mimeType === "text/plain" || mimeType === "application/json" || mimeType === "application/ld+json") return next()
     return next(createExpressError({
         statusCode: 415,
-        statusMessage: `Unsupported Content-Type: ${contentType}. This endpoint requires ${acceptedTypes}.`
+        statusMessage: `Unsupported Content-Type: ${contentType}. This endpoint requires text/plain.`
     }))
 }
 
@@ -163,4 +205,4 @@ It may not have completed at all, and most likely did not complete successfully.
     res.status(error.status).send(error.message)
 }
 
-export default { checkPatchOverrideSupport, validateContentType, messenger }
+export default { checkPatchOverrideSupport, jsonContent, textContent, messenger }

routes/api-routes.js

@@ -44,12 +44,10 @@ import releaseRouter from './release.js';
 import sinceRouter from './since.js';
 // Support GET requests like v1/history/{object id} to discover all previous versions tracing back to the prime.
 import historyRouter from './history.js';
-import rest from '../rest.js'
 
 router.use(staticRouter)
-router.use('/id',idRouter)
+router.use('/id', idRouter)
 router.use('/api', compatabilityRouter)
-router.use('/api', rest.validateContentType)
 router.use('/api/query', queryRouter)
 router.use('/api/search', searchRouter)
 router.use('/api/create', createRouter)

routes/bulkCreate.js

@@ -5,9 +5,10 @@ const router = express.Router()
 //This controller will handle all MongoDB interactions.
 import controller from '../db-controller.js'
 import auth from '../auth/index.js'
+import { jsonContent } from '../rest.js'
 
 router.route('/')
-    .post(auth.checkJwt, controller.bulkCreate)
+    .post(auth.checkJwt, jsonContent, controller.bulkCreate)
     .all((req, res, next) => {
         res.statusMessage = 'Improper request method for creating, please use POST.'
         res.status(405)

routes/bulkUpdate.js

@@ -5,9 +5,10 @@ const router = express.Router()
 //This controller will handle all MongoDB interactions.
 import controller from '../db-controller.js'
 import auth from '../auth/index.js'
+import { jsonContent } from '../rest.js'
 
 router.route('/')
-    .put(auth.checkJwt, controller.bulkUpdate)
+    .put(auth.checkJwt, jsonContent, controller.bulkUpdate)
     .all((req, res, next) => {
         res.statusMessage = 'Improper request method for creating, please use PUT.'
         res.status(405)

routes/create.js

@@ -4,9 +4,10 @@ const router = express.Router()
 //This controller will handle all MongoDB interactions.
 import controller from '../db-controller.js'
 import auth from '../auth/index.js'
+import { jsonContent } from '../rest.js'
 
 router.route('/')
-    .post(auth.checkJwt, controller.create)
+    .post(auth.checkJwt, jsonContent, controller.create)
     .all((req, res, next) => {
         res.statusMessage = 'Improper request method for creating, please use POST.'
         res.status(405)

routes/overwrite.js

@@ -4,9 +4,10 @@ const router = express.Router()
 //This controller will handle all MongoDB interactions.
 import controller from '../db-controller.js'
 import auth from '../auth/index.js'
+import { jsonContent } from '../rest.js'
 
 router.route('/')
-    .put(auth.checkJwt, controller.overwrite)
+    .put(auth.checkJwt, jsonContent, controller.overwrite)
     .all((req, res, next) => {
         res.statusMessage = 'Improper request method for overwriting, please use PUT to overwrite this object.'
         res.status(405)

routes/patchSet.js

@@ -4,9 +4,10 @@ const router = express.Router()
 import controller from '../db-controller.js'
 import auth from '../auth/index.js'
 import rest from '../rest.js'
+import { jsonContent } from '../rest.js'
 
 router.route('/')
-    .patch(auth.checkJwt, controller.patchSet)
+    .patch(auth.checkJwt, jsonContent, controller.patchSet)
     .post(auth.checkJwt, (req, res, next) => {
         if (rest.checkPatchOverrideSupport(req, res)) {
             controller.patchSet(req, res, next)

routes/patchUnset.js

@@ -6,7 +6,7 @@ import auth from '../auth/index.js'
 import rest from '../rest.js'
 
 router.route('/')
-    .patch(auth.checkJwt, controller.patchUnset)
+    .patch(auth.checkJwt, rest.jsonContent, controller.patchUnset)
     .post(auth.checkJwt, (req, res, next) => {
         if (rest.checkPatchOverrideSupport(req, res)) {
             controller.patchUnset(req, res, next)

routes/patchUpdate.js

@@ -7,7 +7,7 @@ import rest from '../rest.js'
 import auth from '../auth/index.js'
 
 router.route('/')
-    .patch(auth.checkJwt, controller.patchUpdate) 
+    .patch(auth.checkJwt, rest.jsonContent, controller.patchUpdate) 
     .post(auth.checkJwt, (req, res, next) => {
         if (rest.checkPatchOverrideSupport(req, res)) {
             controller.patchUpdate(req, res, next)