Content-Type

[Ramsay Brown]

Hey Evan and AH.js community!

Where in the configuration files is one able to set the acceptable range of "Content-Type" headers for requests?

I'd like to implement a layer of security that stops any request that lacks the proper Content-Type in its header, but I can't seem to find any affordance in the configuration interface for doing so.

However: by default it appears that only Content-Type:application/json requests are getting through. This is an acceptable, but I'd REALLY prefer to know how and why this is happening.

Anyone know of anything?

Cheers,

Rams

[Evan Tahler]

actionhero doesn't do any limiting/checking of the content type of a request, but follows pretty normal form parsing logic via the formidable package.  With GET, using a content type of `text/xml` works just as well as `something/crazy`. IE: These both work with the example cacheTest action:

- curl -X GET -H "Content-Type:text/xml" 'http://localhost:8080/api/cacheTest?key=k&value=v' -v

- curl -X GET -H "Content-Type:something/crazy" 'http://localhost:8080/api/cacheTest?key=k&value=v' -v

Now with POST requests (where you specify params as form variables, and not part of the URL/query string), the content type must match form data.  If you want to send form data, the Content-Type must be something like `application/x-www-form-urlencoded` and not `text/xml`.  For example, this works:

curl -X POST -H "Content-Type:application/x-www-form-urlencoded" 'http://localhost:8080/api/cacheTest' -d 'key=k' -d 'value=v'  -v

while this doesn't:

curl -X POST -H "Content-Type:text/xml" 'http://localhost:8080/api/cacheTest' -d 'key=k' -d 'value=v'  -v

Following this, if you want to post a JSON body payload, you have to be sure that the Content-Type matches.  The following is a valid JSON way to send the same information (note the Content-Type change):

curl -X POST -H "Content-Type:application/json" 'http://localhost:8080/api/cacheTest' -d '{"key":"k", "value":"v"}'  -v

You can pass options to formidable via `api.config.servers.web.formOptions` in `config/servers/web.js`.  If you want to limit your API to only accept certain ContentTypes, you can inspect a connection's type with `connection.rawConnection.req.headers`.  You can create a middleware to reject all requests without a certain heder if you would like.