fix: only allow application/json

remoterami · remoterami · commit 38bbb4f9a8a2 · 2025-05-15T14:15:22.000+02:00
diff --git a/backend/pkg/api/auth.go b/backend/pkg/api/auth.go
@@ -58,7 +58,7 @@ func getSlidingSessionExpirationMiddleware(scs *scs.SessionManager) func(http.Ha
 func contentTypeMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// if body is not empty, check if content type is set to json
-		if (r.Method == http.MethodPost || r.Method == http.MethodPut) && r.ContentLength > 0 && regexp.MustCompile(`^application\/json(;.*)?$`).MatchString(r.Header.Get("Content-Type")) {
+		if (r.Method == http.MethodPost || r.Method == http.MethodPut) && r.ContentLength > 0 && !regexp.MustCompile(`^application\/json(;.*)?$`).MatchString(r.Header.Get("Content-Type")) {
 			http.Error(w, "bad request: Content-Type header must be application/json", http.StatusBadRequest)
 			return
 		}

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func getSlidingSessionExpirationMiddleware(scs *scs.SessionManager) func(http.Ha`
`58`	`58`	`func contentTypeMiddleware(next http.Handler) http.Handler {`
`59`	`59`	`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
`60`	`60`	`// if body is not empty, check if content type is set to json`
`61`		- if (r.Method == http.MethodPost \|\| r.Method == http.MethodPut) && r.ContentLength > 0 && regexp.MustCompile(`^application\/json(;.*)?$`).MatchString(r.Header.Get("Content-Type")) {
	`61`	+ if (r.Method == http.MethodPost \|\| r.Method == http.MethodPut) && r.ContentLength > 0 && !regexp.MustCompile(`^application\/json(;.*)?$`).MatchString(r.Header.Get("Content-Type")) {
`62`	`62`	`http.Error(w, "bad request: Content-Type header must be application/json", http.StatusBadRequest)`
`63`	`63`	`return`
`64`	`64`	`}`