Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Validation of Content-Type (for JSON requests)

See original GitHub issue

If I have a POST endpoint that accepts JSON, and use webargs for the parsing and validation of that, it will give me an error that all args are missing if the content type of the request is not ‘application/json’.

I believe this is incorrect. If I have decided that the endpoint should only accept JSON, I think a mime type error should be thrown if the correct content-type is not used. Otherwise, it is very confusing for the user what is wrong with the request. As a workaround I would do this validation myself within the controller, but since webargs throws the error before the code in the controller gets reached, that is a no-go. The only workaround atm would be to decorate the controller before webargs and check there.

I know this might be outside of webargs area, but I don’t know how else to approach this problem (the decorator works but…I mean…so…many…decorators).

If the locations includes JSON, the request header should be checked. That’s my opinion.

Issue Analytics

State:
Created 6 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

sloriacommented, Oct 24, 2017

Yes, I recommend doing content-type validation outside of webargs.

An alternative to my workaround above would be to do the validation in a middleware or hook, e.g. before_request in Flask:

from flask import Flask, jsonify as J, abort, request
from webargs.flaskparser import use_args
from webargs import fields

app = Flask(__name__)
app.debug = True

@app.route('/json', methods=['POST'])
@use_args({'name': fields.Str()}, locations=['json'])
def echo_json(args):
    return J(args)

# Require that all requests have a JSON Content-Type
@app.before_request
def require_json():
    if not request.is_json:
        abort(415)

@app.errorhandler(415)
def handle_unsupported_media_type(err):
    return J({
        'error': 'Unsupported Media Type'
    }), 415

0reactions

fgblomqvistcommented, Oct 24, 2017

Ah I see what you’re saying. I suppose one way to do it would be to check if locations only contains one item, and that item is json, and if it does, verify content-type. I am just trying to make it more sensible for REST APIs (which afaik do not allow the loose structure you’re describing, where a parameter can be in different locations), but I understand if it is too much of an edge-case.

At least there is the workaround you posted earlier.