-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(api): enforce content-type when possible #3410
Conversation
Can you have a look @TBonnin? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
an important comment about the /webhook endpoint. The rest lgtm
export const jsonContentTypeMiddleware: RequestHandler = (req, res, next) => { | ||
if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') { | ||
// Send error here | ||
res.status(415).json({ error: { code: 'invalid_content_type', message: 'Header Content-Type must be application/json' } }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: 'Content-type header must be ...' no?
@@ -10,6 +10,35 @@ describe('route', () => { | |||
afterAll(() => { | |||
api.server.close(); | |||
}); | |||
|
|||
describe('Content-type', () => { | |||
it.each(['GET', 'POST'] as const)('should enforce content-type %s', async (val) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we support GET with body? 🙃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was mostly to ensure it works because we are always putting the header no matter the method (in the UI and probably other customers too)
packages/server/lib/routes.ts
Outdated
// @deprecated | ||
publicAPI.route('/unauth/:providerConfigKey').post(connectSessionOrPublicAuth, postPublicUnauthenticated); | ||
|
||
publicAPI.use('/webhook', jsonContentTypeMiddleware); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unfortunately it looks like not all webhooks send json :(
if (headers['content-type'] === 'application/x-www-form-urlencoded') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yes thanks for catching that
Changes
Fixes https://linear.app/nango/issue/NAN-2578/enforce-applicationjson-header-for-regulard-api-endpoints
I specifically did not enforce that on the proxy. Tested everything I could, and hopefully haven't missed anything
🧪Tests