Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Api prevents access to GET requests without Content-Type

See original GitHub issue

Environment: CTFD in docker using official container CTFd Version/Commit: ctfd/ctfd:latest Operating System: docker Web Browser and Version: N/A What happened? HTML response with login page

What did you expect to happen? JSON result for the api request (/api/v1/challenges in my case, but really any get)

How to reproduce your issue Try to get a json api on any ctfd instance using “Authorizaion: Token <token>” and without session cookies.

Today I tried to install a challenge using ctfcli and got greeted by an error message. I have it attached below, but it is not really relevant as the issue seems to be with ctfd and not the api. I tried the same request using a http client and got the login page instead even though the token clearly was valid in the right format. So I dug into the code and found this line, which only accepts tokens if the content-type is set to application/json, which for a GET request is not the case. I tried it and indeed adding the “Content-Type” header to my request made it work.

  • If this is expected behaviour (which I highly doubt) then this is a documentation issue since it is not documented anywhere.
  • If it is not a documentation issue (more likely since my rest tool even warned me that content-type is not supposed to be on a get request), then this is the relevant line for the check.

Note: This is hard to test in a browser since any successfully request sets the session cookie which takes precedence over the Auth header.


Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

Thalhammercommented, Aug 11, 2021

You are right I could not find a RFC that says “you can’t use content-type without a body”. That said, I have also never seen any api that requires having a content-type set without having a body. Usually it’s as follows:

  • Set content-type if there is a body in the message (post,put,patch,…)
  • Don’t care if there is none (get & usually delete)
  • Set Accept to indicate the content type you want back

If ctfd chooses to always require a content-type (which it is obviously free to do, albeit unusual) it should be clearly documented in the api docs. Because right now there is no mention of this at all, unless you dig deep into the code and all indicators ctfd gives is that the token is invalid or the authorization header is wrong.

Accept is different from Content-type. Content-Type indicated the type of the current message (e.g. upload), Accept indicates what the client wishes to get back (download).

A detailed answer about the topic including links to RFC 7231: The RFC nowhere says (or at least I could not find it) that content-type should not be on an empty request though.

nikitastupincommented, Nov 18, 2021

Hey 👋 Just made a PR to clarify this behaviour in the documentation.

Read more comments on GitHub >

github_iconTop Results From Across the Web

REST requests without Content-Type header - Drupal
Problem/Motivation Enable REST module Try doing a GET request, that works: jQuery.ajax({ url: Drupal.url('node/' + nodeID) + '?
Read more >
Requests - get content-type/size without fetching the whole ...
Yes. You can use the Session.head method to create HEAD requests: response = session.head(url, timeout=self.
Read more >
How a RESTful API server reacts to requests - O'Reilly
Users trying to access resources without permission. etc. ... REQUEST: POST /rents/ HTTP/1.1 Content-Type: application/json ...
Read more >
Cross-Origin Resource Sharing (CORS) - MDN Web Docs
The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such ...
Read more >
Configuring CORS - Apollo GraphQL Docs
This is not a security vulnerability, but it does prevent your API from successfully ... GET requests without sending Content-Type , X-Apollo-Operation-Name ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found