Require Content-Type in POST request

Author: rubensworks

lib/handlers/post.js

@@ -58,7 +58,7 @@ async function handler (req, res, next) {
       const { url: putUrl } = await ldp.resourceMapper.mapFileToUrl(
         { path: ldp.resourceMapper._rootPath + path.join(containerPath, filename), hostname: req.hostname })
       try {
-        await ldp.put(putUrl, file)
+        await ldp.put(putUrl, file, mimetype)
       } catch (err) {
         busboy.emit('error', err)
       }

lib/handlers/put.js

@@ -8,7 +8,7 @@ async function handler (req, res, next) {
   res.header('MS-Author-Via', 'SPARQL')
 
   try {
-    await ldp.put(req, req)
+    await ldp.put(req, req, req.headers['content-type'])
     debug('succeded putting the file')
 
     res.sendStatus(201)

lib/ldp.js

@@ -212,14 +212,18 @@ class LDP {
   }
 
   async put (url, stream, contentType) {
-    const { path: filePath } = await this.resourceMapper.mapUrlToFile({ url, contentType, createIfNotExists: true })
-
     // PUT requests not supported on containers. Use POST instead
-    if (filePath.endsWith('/')) {
+    if ((url.url || url).endsWith('/')) {
       throw error(409,
         'PUT not supported on containers, use POST instead')
     }
 
+    // PUT without content type is forbidden
+    if (!contentType) {
+      throw error(415,
+        'PUT request require a valid content type via the Content-Type header')
+    }
+
     // First check if we are above quota
     let isOverQuota
     try {
@@ -232,6 +236,7 @@ class LDP {
     }
 
     // Second, create the enclosing directory, if necessary
+    const { path: filePath } = await this.resourceMapper.mapUrlToFile({ url, contentType, createIfNotExists: true })
     const dirName = path.dirname(filePath)
     try {
       await promisify(mkdirp)(dirName)

test/integration/acl-oidc-test.js

@@ -96,7 +96,8 @@ describe('ACL with WebID+OIDC over HTTP', function () {
     const options = {
       url: timAccountUri + path,
       headers: {
-        accept: 'text/turtle'
+        'accept': 'text/turtle',
+        'content-type': 'text/plain'
       }
     }
     if (user) {

test/integration/acl-tls-test.js

@@ -77,7 +77,8 @@ describe('ACL with WebID+TLS', function () {
     var options = {
       url: address + path,
       headers: {
-        accept: 'text/turtle'
+        accept: 'text/turtle',
+        'content-type': 'text/plain'
       }
     }
     if (user) {

test/integration/ldp-test.js

@@ -124,7 +124,7 @@ describe('LDP', function () {
   describe('put', function () {
     it.skip('should write a file in an existing dir', () => {
       var stream = stringToStream('hello world')
-      return ldp.put('/resources/testPut.txt', stream).then(() => {
+      return ldp.put('/resources/testPut.txt', stream, 'text/plain').then(() => {
         var found = read('testPut.txt')
         rm('testPut.txt')
         assert.equal(found, 'hello world')
@@ -133,11 +133,12 @@ describe('LDP', function () {
 
     it('should fail if a trailing `/` is passed', () => {
       var stream = stringToStream('hello world')
-      return ldp.put('/resources/', stream).catch(err => {
+      return ldp.put('/resources/', stream, 'text/plain').catch(err => {
         assert.equal(err.status, 409)
       })
     })
 
+
     it.skip('with a larger file to exceed allowed quota', function () {
       var randstream = stringToStream(randomBytes(2100))
       return ldp.put('localhost', '/resources/testQuota.txt', randstream).catch((err) => {
@@ -150,6 +151,20 @@ describe('LDP', function () {
         assert.equal(err.status, 413)
       })
     })
+
+    it('should fail if a trailing `/` is passed without content type', () => {
+      var stream = stringToStream('hello world')
+      return ldp.put('/resources/', stream, null).catch(err => {
+        assert.equal(err.status, 409)
+      })
+    })
+
+    it('should fail if no content type is passed', () => {
+      var stream = stringToStream('hello world')
+      return ldp.put('/resources/testPut.txt', stream, null).catch(err => {
+        assert.equal(err.status, 415)
+      })
+    })
   })
 
   describe('delete', function () {
@@ -160,7 +175,7 @@ describe('LDP', function () {
     it.skip('should delete a file in an existing dir', async () => {
       // First create a dummy file
       var stream = stringToStream('hello world')
-      await ldp.put('/resources/testPut.txt', stream)
+      await ldp.put('/resources/testPut.txt', stream, 'text/plain')
       // Make sure it exists
       fs.stat(ldp.resourceMapper._rootPath + '/resources/testPut.txt', function (err) {
         if (err) {
@@ -181,7 +196,7 @@ describe('LDP', function () {
     it.skip('should fail to delete a non-empty folder', async () => {
       // First create a dummy file
       var stream = stringToStream('hello world')
-      await ldp.put('/resources/dummy/testPutBlocking.txt', stream)
+      await ldp.put('/resources/dummy/testPutBlocking.txt', stream, 'text/plain')
       // Make sure it exists
       fs.stat(ldp.resourceMapper._rootPath + '/resources/dummy/testPutBlocking.txt', function (err) {
         if (err) {
@@ -196,7 +211,7 @@ describe('LDP', function () {
     it.skip('should fail to delete nested non-empty folders', async () => {
       // First create a dummy file
       var stream = stringToStream('hello world')
-      await ldp.put('/resources/dummy/dummy2/testPutBlocking.txt', stream)
+      await ldp.put('/resources/dummy/dummy2/testPutBlocking.txt', stream, 'text/plain')
       // Make sure it exists
       fs.stat(ldp.resourceMapper._rootPath + '/resources/dummy/dummy2/testPutBlocking.txt', function (err) {
         if (err) {