Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(api): enforce content-type when possible #3410

Merged
merged 5 commits into from
Jan 31, 2025

Conversation

bodinsamuel
Copy link
Collaborator

@bodinsamuel bodinsamuel commented Jan 30, 2025

Changes

Fixes https://linear.app/nango/issue/NAN-2578/enforce-applicationjson-header-for-regulard-api-endpoints

  • Enforce content-type when possible
    I specifically did not enforce that on the proxy. Tested everything I could, and hopefully haven't missed anything

🧪Tests

  • Run the dashboard UI and do some stuff
  • Call the public API

It's not a breaking change per say, since it would just not work before but I will still announce that in the community before merging

@bodinsamuel bodinsamuel self-assigned this Jan 30, 2025
Copy link

linear bot commented Jan 30, 2025

@bodinsamuel bodinsamuel requested a review from a team January 30, 2025 12:55
@bodinsamuel
Copy link
Collaborator Author

Can you have a look @TBonnin?

Copy link
Collaborator

@TBonnin TBonnin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an important comment about the /webhook endpoint. The rest lgtm

export const jsonContentTypeMiddleware: RequestHandler = (req, res, next) => {
if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') {
// Send error here
res.status(415).json({ error: { code: 'invalid_content_type', message: 'Header Content-Type must be application/json' } });
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: 'Content-type header must be ...' no?

@@ -10,6 +10,35 @@ describe('route', () => {
afterAll(() => {
api.server.close();
});

describe('Content-type', () => {
it.each(['GET', 'POST'] as const)('should enforce content-type %s', async (val) => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we support GET with body? 🙃

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was mostly to ensure it works because we are always putting the header no matter the method (in the UI and probably other customers too)

// @deprecated
publicAPI.route('/unauth/:providerConfigKey').post(connectSessionOrPublicAuth, postPublicUnauthenticated);

publicAPI.use('/webhook', jsonContentTypeMiddleware);
Copy link
Collaborator

@TBonnin TBonnin Jan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately it looks like not all webhooks send json :(

if (headers['content-type'] === 'application/x-www-form-urlencoded') {

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes thanks for catching that

@bodinsamuel bodinsamuel merged commit f6218ff into master Jan 31, 2025
17 checks passed
@bodinsamuel bodinsamuel deleted the sam/25_01_30/fix/api-content-type branch January 31, 2025 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants