Validate Content Type

[wilsonge]

Description

Connexion does not validate the content type of the incoming request against the swagger definition

Expected behaviour

Connexion validates the content type

Steps to reproduce

Create a swagger file that consumes application/json and send a request that has a multipart/form-data content type. The request is accepted when it should be rejected.

Additional info:

Output of the commands:

• python --version
  Python 3.4.6
• pip show connexion | grep "^Version\:"
  Version: 2016.0.dev1

[kenneho]

Did you get this working?

[dtkav]

@kenneho can you try the release candidate for Connection 2.0? You can install it with pip install --pre connexion[swagger-ui].
If I recall correctly, it's fixed in the next release, and will return an error about incorrect content type.

[kenneho]

@kenneho can you try the release candidate for Connection 2.0? You can install it with pip install --pre connexion[swagger-ui].
If I recall correctly, it's fixed in the next release, and will return an error about incorrect content type.

Thanks. I tried running the release candidate, but got an error: #729

When that one is sorted out I'll try again.

[samuelgrigolato]

Just tested this against the master branch, with the following swagger definition:

paths:
  /greeting/{name}:
    post:
      summary: Generate greeting
      description: Generates a greeting message.
      operationId: sandbox.post_greeting
      consumes:
        - application/json
      produces:
        - text/plain;
      responses:
        200:
          description: greeting response
          schema:
            type: string
          examples:
            "text/plain": "Hello John"
      parameters:
        - name: name
          in: path
          description: Name of the person to greet.
          required: true
          type: string

And the operation function defined as below:

def post_greeting(name):
    return 'it works!'

When I execute the following command:

curl -X POST \
  http://localhost:8080/v1.0/greeting/Samuel \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
  -F name=value

It shows me it works, when it should be raising an error, if I have understood correctly.

Now talking about fixing this, wouldn't it break backward compatibility with a high potential for trouble with existing users that may be supporting multiple content-types without necessarily reflecting this fact in the swagger/openapi definition? What are your thoughts about this?

[kenneho]

Sorry for the delayed response.

Your understanding of the issue, at least the issue as I see it, is correct. Enforcing this change now might break a lot of clients, but maybe one could implement enforcing this validation as an optional setting?

Coming to think of it, I'd like like Connexion to also to validate the client's "Accept" header, so that Connexion throws an error if the client asks to get back data in a non-supported content type. In other words, if Connexion could validate both the Content-Type as well as Accept headers, that would be great.

[dtkav]

I believe this is partially fixed in connexion 2.0. Has anyone had a chance to try it?

I'm also working on redoing validation of content types completely. I have a demo going at #760 . If you want to take a look and let me know what you think, that would be awesome.

As far as validating the Accept header, I can look into that, but I'm not sure if that would be standards-unfriendly. If anyone has any supporting docs/RFCs that I could read through on the topic I'd be happy to learn more about it.

[kenneho]

I'm tagged on another project next next couple of days or so, but will check out your connexion fix after that.

[RobbeSneyders]

Fixed since #1588