First pass at handling bad Content-Type headers. Focus on a way to do it that doesn't have to touch man files in the api/ directory.

Author: thehabes

app.js

@@ -57,7 +57,7 @@ app.use(
   })
 )
 app.use(logger('dev'))
-app.use(express.json())
+app.use(express.json({ type: ["application/json", "application/ld+json"] }))
 app.use(express.text())
 app.use(express.urlencoded({ extended: true }))
 app.use(cookieParser())

rest.js

@@ -24,6 +24,52 @@ const checkPatchOverrideSupport = function (req, res) {
     return undefined !== override && override === "PATCH"
 }
 
+/**
+ * Middleware to validate Content-Type headers on API write endpoints.
+ * Ensures that requests carrying bodies have an appropriate Content-Type before
+ * reaching controllers, preventing unhandled errors from unparsed or mis-parsed bodies.
+ *
+ * - Skips validation for methods that don't carry bodies (GET, HEAD, OPTIONS, DELETE)
+ * - Allows text/plain for /search endpoints (which accept plain text search terms)
+ * - Requires application/json or application/ld+json for all other write endpoints
+ * - Returns 400 for missing Content-Type, 415 for unsupported Content-Type
+ *
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const validateContentType = function (req, res, next) {
+    const skipMethods = ["GET", "HEAD", "OPTIONS", "DELETE"]
+    if (skipMethods.includes(req.method)) {
+        return next()
+    }
+
+    const contentType = req.get("Content-Type") ?? ""
+
+    if (!contentType) {
+        res.statusMessage = `Missing Content-Type header. Requests to this endpoint require a Content-Type of "application/json" or "application/ld+json".`
+        res.status(415)
+        return next(res)
+    }
+
+    const isJson = contentType.includes("application/json") || contentType.includes("application/ld+json")
+    const isText = contentType.includes("text/plain")
+    const isSearchEndpoint = req.path.startsWith("/search")
+
+    if (isJson) {
+        return next()
+    }
+
+    if (isText && isSearchEndpoint) {
+        return next()
+    }
+
+    const acceptedTypes = `"application/json" or "application/ld+json"${isSearchEndpoint ? ' or "text/plain"' : ''}`
+    res.statusMessage = `Unsupported Content-Type: "${contentType}". This endpoint requires ${acceptedTypes}.`
+    res.status(415)
+    next(res)
+}
+
 /**
  * Throughout the routes are certain warning, error, and hard fail scenarios.
  * REST is all about communication.  The response code and the textual body are particular.
@@ -95,6 +141,9 @@ The requested web page or resource could not be found.`
         case 409:
             // These are all handled in db-controller.js already.
             break
+        case 415:
+            // Unsupported Media Type.  The Content-Type header is not acceptable for this endpoint.
+            break
         case 501:
             // Not implemented.  Handled upstream.
             break
@@ -113,4 +162,4 @@ It may not have completed at all, and most likely did not complete successfully.
     res.status(error.status).send(error.message)
 }
 
-export default { checkPatchOverrideSupport, messenger }
+export default { checkPatchOverrideSupport, validateContentType, messenger }

routes/__tests__/contentType.test.js

@@ -0,0 +1,113 @@
+import { jest } from "@jest/globals"
+import express from "express"
+import request from "supertest"
+import rest from '../../rest.js'
+
+// Set up a minimal Express app with the Content-Type validation middleware
+const routeTester = new express()
+routeTester.use(express.json({ type: ["application/json", "application/ld+json"] }))
+routeTester.use(express.text())
+routeTester.use(express.urlencoded({ extended: false }))
+
+// Mount the validateContentType middleware on /api just like api-routes.js
+routeTester.use("/api", rest.validateContentType)
+
+// Simple JSON-only endpoint (like /api/create, /api/query, etc.)
+routeTester.post("/api/create", (req, res) => {
+    res.status(200).json({ received: req.body })
+})
+
+// Search endpoint that accepts text/plain
+routeTester.post("/api/search", (req, res) => {
+    res.status(200).json({ received: req.body })
+})
+
+// GET endpoint should pass through without Content-Type validation
+routeTester.get("/api/info", (req, res) => {
+    res.status(200).json({ info: true })
+})
+
+// Error handler matching the app's pattern
+routeTester.use(rest.messenger)
+
+describe("Content-Type validation middleware", () => {
+
+    it("accepts application/json with valid JSON body", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "application/json")
+            .send({ test: "data" })
+        expect(response.statusCode).toBe(200)
+        expect(response.body.received.test).toBe("data")
+    })
+
+    it("accepts application/ld+json with valid JSON body", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "application/ld+json")
+            .send(JSON.stringify({ "@context": "http://example.org", test: "ld" }))
+        expect(response.statusCode).toBe(200)
+        expect(response.body.received["@context"]).toBe("http://example.org")
+    })
+
+    it("accepts application/json with charset parameter", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "application/json; charset=utf-8")
+            .send({ test: "charset" })
+        expect(response.statusCode).toBe(200)
+    })
+
+    it("returns 415 for missing Content-Type header", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .unset("Content-Type")
+            .send(Buffer.from('{"test":"data"}'))
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Missing Content-Type header")
+    })
+
+    it("returns 415 for text/plain on JSON-only endpoint", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "text/plain")
+            .send("some plain text")
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Unsupported Content-Type")
+    })
+
+    it("returns 415 for application/xml", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "application/xml")
+            .send("<root/>")
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Unsupported Content-Type")
+    })
+
+    it("allows text/plain on search endpoint", async () => {
+        const response = await request(routeTester)
+            .post("/api/search")
+            .set("Content-Type", "text/plain")
+            .send("search terms")
+        expect(response.statusCode).toBe(200)
+        expect(response.body.received).toBe("search terms")
+    })
+
+    it("allows application/json on search endpoint", async () => {
+        const response = await request(routeTester)
+            .post("/api/search")
+            .set("Content-Type", "application/json")
+            .send({ searchText: "hello" })
+        expect(response.statusCode).toBe(200)
+        expect(response.body.received.searchText).toBe("hello")
+    })
+
+    it("skips validation for GET requests", async () => {
+        const response = await request(routeTester)
+            .get("/api/info")
+        expect(response.statusCode).toBe(200)
+        expect(response.body.info).toBe(true)
+    })
+
+})

routes/api-routes.js

@@ -44,10 +44,13 @@ import releaseRouter from './release.js';
 import sinceRouter from './since.js';
 // Support GET requests like v1/history/{object id} to discover all previous versions tracing back to the prime.
 import historyRouter from './history.js';
+import rest from '../rest.js'
 
 router.use(staticRouter)
 router.use('/id',idRouter)
 router.use('/api', compatabilityRouter)
+// Validate Content-Type headers on all /api write endpoints (fixes #245, #246, #248)
+router.use('/api', rest.validateContentType)
 router.use('/api/query', queryRouter)
 router.use('/api/search', searchRouter)
 router.use('/api/create', createRouter)