fix: return helpful error when Content-Type header is not application/json (#795)

Author: wolfy1339

src/middleware/node/middleware.ts

@@ -1,5 +1,5 @@
 // remove type imports from http for Deno compatibility
-// see https://github.com/octokit/octokit.js/issues/24#issuecomment-817361886
+// see https://github.com/octokit/octokit.js/issues/2075#issuecomment-817361886
 // import { IncomingMessage, ServerResponse } from "http";
 type IncomingMessage = any;
 type ServerResponse = any;
@@ -44,6 +44,22 @@ export async function middleware(
     }
   }
 
+  // Check if the Content-Type header is `application/json` and allow for charset to be specified in it
+  // Otherwise, return a 415 Unsupported Media Type error
+  // See https://github.com/octokit/webhooks.js/issues/158
+  if (!request.headers["content-type"].startsWith("application/json")) {
+    response.writeHead(415, {
+      "content-type": "application/json",
+      accept: "application/json",
+    });
+    response.end(
+      JSON.stringify({
+        error: `Unsupported "Content-Type" header value. Must be "application/json"`,
+      })
+    );
+    return;
+  }
+
   const missingHeaders = getMissingHeaders(request).join(", ");
 
   if (missingHeaders) {

test/integration/node-middleware.test.ts

@@ -48,6 +48,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -92,6 +93,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -106,6 +108,37 @@ describe("createNodeMiddleware(webhooks)", () => {
     server.close();
   });
 
+  test("Handles invalid Content-Type", async () => {
+    const webhooks = new Webhooks({
+      secret: "mySecret",
+    });
+
+    const server = createServer(createNodeMiddleware(webhooks)).listen();
+
+    // @ts-expect-error complains about { port } although it's included in returned AddressInfo interface
+    const { port } = server.address();
+    const response = await fetch(
+      `http://localhost:${port}/api/github/webhooks`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "text/plain",
+          "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
+          "X-GitHub-Event": "push",
+          "X-Hub-Signature-256": signatureSha256,
+        },
+        body: pushEventPayload,
+      }
+    );
+
+    await expect(response.text()).resolves.toBe(
+      '{"error":"Unsupported \\"Content-Type\\" header value. Must be \\"application/json\\""}'
+    );
+    expect(response.status).toEqual(415);
+
+    server.close();
+  });
+
   test("Handles invalid JSON", async () => {
     const webhooks = new Webhooks({
       secret: "mySecret",
@@ -121,6 +154,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -151,6 +185,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "PUT",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -183,6 +218,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           // "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -219,6 +255,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -252,6 +289,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -290,6 +328,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -325,6 +364,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
@@ -413,6 +453,7 @@ describe("createNodeMiddleware(webhooks)", () => {
     const response = await fetch(`http://localhost:${port}/test`, {
       method: "POST",
       headers: {
+        "Content-Type": "application/json",
         "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
         "X-GitHub-Event": "push",
         "X-Hub-Signature-256": signatureSha256,
@@ -444,6 +485,7 @@ describe("createNodeMiddleware(webhooks)", () => {
     const response = await fetch(`http://localhost:${port}/test`, {
       method: "POST",
       headers: {
+        "Content-Type": "application/json",
         "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
         "X-GitHub-Event": "push",
         "X-Hub-Signature-256": signatureSha256,
@@ -484,6 +526,7 @@ describe("createNodeMiddleware(webhooks)", () => {
       {
         method: "POST",
         headers: {
+          "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,