Fixed: Allow partially matching accept headers as defined in HTTP standard (and block parameters)

Bart Koelman · Bart Koelman · commit 8ff14c5a39d3 · 2020-04-29T12:40:55.000+02:00
diff --git a/src/JsonApiDotNetCore/Middleware/CurrentRequestMiddleware.cs b/src/JsonApiDotNetCore/Middleware/CurrentRequestMiddleware.cs
@@ -1,3 +1,4 @@
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Net;
@@ -77,44 +78,52 @@ private ResourceContext CreateResourceContext(IControllerResourceMapping control
         private async Task<bool> ValidateContentTypeHeaderAsync()
         {
             var contentType = _httpContext.Request.ContentType;
-            if (contentType != null)
+            if (contentType != null && contentType != HeaderConstants.MediaType)
             {
-                if (!MediaTypeHeaderValue.TryParse(contentType, out var headerValue) ||
-                    headerValue.MediaType != HeaderConstants.MediaType || headerValue.CharSet != null ||
-                    headerValue.Parameters.Any(p => p.Name != "ext"))
+                await FlushResponseAsync(_httpContext, new Error(HttpStatusCode.UnsupportedMediaType)
                 {
-                    await FlushResponseAsync(_httpContext, new Error(HttpStatusCode.UnsupportedMediaType)
-                    {
-                        Title = "The specified Content-Type header value is not supported.",
-                        Detail = $"Please specify '{HeaderConstants.MediaType}' instead of '{contentType}' for the Content-Type header value."
-                    });
-
-                    return false;
-                }
+                    Title = "The specified Content-Type header value is not supported.",
+                    Detail = $"Please specify '{HeaderConstants.MediaType}' instead of '{contentType}' for the Content-Type header value."
+                });
+                return false;
             }
 
             return true;
         }
 
         private async Task<bool> ValidateAcceptHeaderAsync()
         {
-            if (_httpContext.Request.Headers.TryGetValue("Accept", out StringValues acceptHeaders))
+            StringValues acceptHeaders = _httpContext.Request.Headers["Accept"];
+            if (!acceptHeaders.Any() || acceptHeaders == HeaderConstants.MediaType)
+            {
+                return true;
+            }
+
+            bool seenCompatibleMediaType = false;
+
+            foreach (var acceptHeader in acceptHeaders)
             {
-                foreach (var acceptHeader in acceptHeaders)
+                if (MediaTypeHeaderValue.TryParse(acceptHeader, out var headerValue))
                 {
-                    if (MediaTypeHeaderValue.TryParse(acceptHeader, out var headerValue))
+                    if (headerValue.MediaType == "*/*" || headerValue.MediaType == "application/*")
                     {
-                        if (headerValue.MediaType == HeaderConstants.MediaType &&
-                            headerValue.Parameters.All(p => p.Name == "ext"))
-                        {
-                            return true;
-                        }
+                        seenCompatibleMediaType = true;
+                        break;
+                    }
+
+                    if (headerValue.MediaType == HeaderConstants.MediaType && !headerValue.Parameters.Any())
+                    {
+                        seenCompatibleMediaType = true;
+                        break;
                     }
                 }
+            }
 
+            if (!seenCompatibleMediaType)
+            {
                 await FlushResponseAsync(_httpContext, new Error(HttpStatusCode.NotAcceptable)
                 {
-                    Title = "The specified Accept header value is not supported.",
+                    Title = "The specified Accept header value does not contain any supported media types.",
                     Detail = $"Please include '{HeaderConstants.MediaType}' in the Accept header values."
                 });
                 return false;
diff --git a/test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/ContentNegotiationTests.cs b/test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/ContentNegotiationTests.cs
@@ -50,7 +50,7 @@ public async Task Respond_415_If_Content_Type_Header_Is_Not_JsonApi_Media_Type()
             var server = new TestServer(builder);
             var client = server.CreateClient();
             var request = new HttpRequestMessage(new HttpMethod("POST"), route) {Content = new StringContent(string.Empty)};
-            request.Content.Headers.ContentType = new MediaTypeHeaderValue("text/html");
+            request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse("text/html");
 
             // Act
             var response = await client.SendAsync(request);
@@ -78,7 +78,7 @@ public async Task Respond_201_If_Content_Type_Header_Is_JsonApi_Media_Type()
             var server = new TestServer(builder);
             var client = server.CreateClient();
             var request = new HttpRequestMessage(HttpMethod.Post, route) {Content = new StringContent(serializer.Serialize(todoItem))};
-            request.Content.Headers.ContentType = new MediaTypeHeaderValue(HeaderConstants.MediaType);
+            request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse(HeaderConstants.MediaType);
 
             // Act
             var response = await client.SendAsync(request);
@@ -88,43 +88,65 @@ public async Task Respond_201_If_Content_Type_Header_Is_JsonApi_Media_Type()
         }
 
         [Fact]
-        public async Task Respond_201_If_Content_Type_Header_Is_JsonApi_Media_Type_With_Extension()
+        public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_Profile()
         {
             // Arrange
-            var serializer = _fixture.GetSerializer<TodoItem>(e => new { e.Description });
-            var todoItem = new TodoItem {Description = "something not to forget"};
+            var builder = new WebHostBuilder().UseStartup<Startup>();
+            var route = "/api/v1/todoItems";
+            var server = new TestServer(builder);
+            var client = server.CreateClient();
+            var request = new HttpRequestMessage(new HttpMethod("POST"), route) {Content = new StringContent(string.Empty)};
+            request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse(HeaderConstants.MediaType + "; profile=something");
+
+            // Act
+            var response = await client.SendAsync(request);
 
+            // Assert
+            Assert.Equal(HttpStatusCode.UnsupportedMediaType, response.StatusCode);
+
+            var body = await response.Content.ReadAsStringAsync();
+            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(errorDocument.Errors);
+            Assert.Equal(HttpStatusCode.UnsupportedMediaType, errorDocument.Errors[0].StatusCode);
+            Assert.Equal("The specified Content-Type header value is not supported.", errorDocument.Errors[0].Title);
+            Assert.Equal("Please specify 'application/vnd.api+json' instead of 'application/vnd.api+json; profile=something' for the Content-Type header value.", errorDocument.Errors[0].Detail);
+        }
+
+        [Fact]
+        public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_Extension()
+        {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
-            var request = new HttpRequestMessage(HttpMethod.Post, route) {Content = new StringContent(serializer.Serialize(todoItem))};
-            request.Content.Headers.ContentType = new MediaTypeHeaderValue(HeaderConstants.MediaType)
-            {
-                Parameters = {new NameValueHeaderValue("ext", "some-extension")}
-            };
+            var request = new HttpRequestMessage(new HttpMethod("POST"), route) {Content = new StringContent(string.Empty)};
+            request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse(HeaderConstants.MediaType + "; ext=something");
 
             // Act
             var response = await client.SendAsync(request);
 
             // Assert
-            Assert.Equal(HttpStatusCode.Created, response.StatusCode);
+            Assert.Equal(HttpStatusCode.UnsupportedMediaType, response.StatusCode);
+
+            var body = await response.Content.ReadAsStringAsync();
+            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(errorDocument.Errors);
+            Assert.Equal(HttpStatusCode.UnsupportedMediaType, errorDocument.Errors[0].StatusCode);
+            Assert.Equal("The specified Content-Type header value is not supported.", errorDocument.Errors[0].Title);
+            Assert.Equal("Please specify 'application/vnd.api+json' instead of 'application/vnd.api+json; ext=something' for the Content-Type header value.", errorDocument.Errors[0].Detail);
         }
 
         [Fact]
-        public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_CharSet_Parameter()
+        public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_CharSet()
         {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
             var request = new HttpRequestMessage(HttpMethod.Post, route) {Content = new StringContent(string.Empty)};
-            request.Content.Headers.ContentType = new MediaTypeHeaderValue(HeaderConstants.MediaType)
-            {
-                CharSet = "ISO-8859-4"
-            };
+            request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse(HeaderConstants.MediaType + "; charset=ISO-8859-4");
 
             // Act
             var response = await client.SendAsync(request);
@@ -141,18 +163,15 @@ public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_
         }
 
         [Fact]
-        public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_Unknown_Parameter()
+        public async Task Respond_415_If_Content_Type_Header_Is_JsonApi_Media_Type_With_Unknown()
         {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
             var request = new HttpRequestMessage(HttpMethod.Post, route) {Content = new StringContent(string.Empty)};
-            request.Content.Headers.ContentType = new MediaTypeHeaderValue(HeaderConstants.MediaType)
-            {
-                Parameters = {new NameValueHeaderValue("unknown", "unexpected")}
-            };
+            request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse(HeaderConstants.MediaType + "; unknown=unexpected");
 
             // Act
             var response = await client.SendAsync(request);
@@ -186,17 +205,15 @@ public async Task Respond_200_If_Accept_Headers_Are_Missing()
         }
 
         [Fact]
-        public async Task Respond_200_If_Accept_Headers_Contain_JsonApi_Media_Type()
+        public async Task Respond_200_If_Accept_Headers_Include_Any()
         {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
             client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("text/html"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; some=1"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; other=2"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("*/*"));
             var request = new HttpRequestMessage(HttpMethod.Get, route);
 
             // Act
@@ -207,23 +224,15 @@ public async Task Respond_200_If_Accept_Headers_Contain_JsonApi_Media_Type()
         }
 
         [Fact]
-        public async Task Respond_200_If_Accept_Headers_Contain_JsonApi_Media_Type_With_Extension()
+        public async Task Respond_200_If_Accept_Headers_Include_Application_Prefix()
         {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
             client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("text/html"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; some=1"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; other=2"));
-            client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(HeaderConstants.MediaType)
-            {
-                Parameters =
-                {
-                    new NameValueHeaderValue("ext", "some-extension")
-                }
-            });
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("application/*"));
             var request = new HttpRequestMessage(HttpMethod.Get, route);
 
             // Act
@@ -234,42 +243,39 @@ public async Task Respond_200_If_Accept_Headers_Contain_JsonApi_Media_Type_With_
         }
 
         [Fact]
-        public async Task Respond_406_If_Accept_Headers_Do_Not_Contain_JsonApi_Media_Type()
+        public async Task Respond_200_If_Accept_Headers_Contain_JsonApi_Media_Type()
         {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
             client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("text/html"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("image/*"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; profile=some"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; ext=other"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; unknown=unexpected"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType));
             var request = new HttpRequestMessage(HttpMethod.Get, route);
 
             // Act
             var response = await client.SendAsync(request);
 
             // Assert
-            Assert.Equal(HttpStatusCode.NotAcceptable, response.StatusCode);
-
-            var body = await response.Content.ReadAsStringAsync();
-            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
-            Assert.Single(errorDocument.Errors);
-            Assert.Equal(HttpStatusCode.NotAcceptable, errorDocument.Errors[0].StatusCode);
-            Assert.Equal("The specified Accept header value is not supported.", errorDocument.Errors[0].Title);
-            Assert.Equal("Please include 'application/vnd.api+json' in the Accept header values.", errorDocument.Errors[0].Detail);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
         }
 
         [Fact]
-        public async Task Respond_406_If_Accept_Headers_Contain_JsonApi_Media_Type_With_Only_Parameters_Other_Than_Extension()
+        public async Task Respond_406_If_Accept_Headers_Only_Contain_JsonApi_Media_Type_With_Parameters()
         {
             // Arrange
             var builder = new WebHostBuilder().UseStartup<Startup>();
             var route = "/api/v1/todoItems";
             var server = new TestServer(builder);
             var client = server.CreateClient();
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse("text/html"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; some=1"));
-            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; other=2"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; profile=some"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; ext=other"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; unknown=unexpected"));
+            client.DefaultRequestHeaders.Accept.Add(MediaTypeWithQualityHeaderValue.Parse(HeaderConstants.MediaType + "; charset=ISO-8859-4"));
             var request = new HttpRequestMessage(HttpMethod.Get, route);
 
             // Act
@@ -282,7 +288,7 @@ public async Task Respond_406_If_Accept_Headers_Contain_JsonApi_Media_Type_With_
             var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
             Assert.Single(errorDocument.Errors);
             Assert.Equal(HttpStatusCode.NotAcceptable, errorDocument.Errors[0].StatusCode);
-            Assert.Equal("The specified Accept header value is not supported.", errorDocument.Errors[0].Title);
+            Assert.Equal("The specified Accept header value does not contain any supported media types.", errorDocument.Errors[0].Title);
             Assert.Equal("Please include 'application/vnd.api+json' in the Accept header values.", errorDocument.Errors[0].Detail);
         }
     }
