fix: restrict content type to json only

supabase · Apr 15, 2024 · 21a999e · 21a999e
1 parent bf4db46
commit 21a999e
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/internal/api/hooks.go b/internal/api/hooks.go
@@ -145,7 +145,7 @@ func (a *API) runHTTPHook(r *http.Request, hookConfig conf.ExtensibilityPointCon
 			return nil, internalServerError("Invalid Content-Type header")
 		}
 		if mediaType != "application/json" {
-			return nil, internalServerError("Expected JSON response from hook, received: " + contentType)
+			return nil, internalServerError("Invalid JSON response. Received content-type: " + contentType)
 		}
 
 		switch rsp.StatusCode {

diff --git a/internal/api/hooks_test.go b/internal/api/hooks_test.go
@@ -155,6 +155,35 @@ func (ts *HooksTestSuite) TestShouldRetryWithRetryAfterHeader() {
 	require.True(ts.T(), gock.IsDone(), "Expected all mocks to have been called including retry")
 }
 
+func (ts *HooksTestSuite) TestShouldReturnErrorForNonJSONContentType() {
+	defer gock.OffAll()
+
+	input := hooks.SendSMSInput{
+		UserID: uuid.Must(uuid.NewV4()),
+		Phone:  "1234567890",
+		OTP:    "123456",
+	}
+	testURL := "http://localhost:54321/functions/v1/custom-sms-sender"
+	ts.Config.Hook.SendSMS.URI = testURL
+
+	gock.New(testURL).
+		Post("/").
+		MatchType("json").
+		Reply(http.StatusOK).
+		SetHeader("content-type", "text/plain")
+
+	var output hooks.SendSMSOutput
+
+	req, err := http.NewRequest("POST", "http://localhost:9999/otp", nil)
+	require.NoError(ts.T(), err)
+
+	_, err = ts.API.runHTTPHook(req, ts.Config.Hook.SendSMS, &input, &output)
+	require.Error(ts.T(), err, "Expected an error due to wrong content type")
+	require.Contains(ts.T(), err.Error(), "Invalid JSON response.")
+
+	require.True(ts.T(), gock.IsDone(), "Expected all mocks to have been called")
+}
+
 func (ts *HooksTestSuite) TestInvokeHookIntegration() {
 	// We use the Send Email Hook as illustration
 	defer gock.OffAll()