Merge pull request #700 from jerelmiller/fix-media-type-validations

lgebhardt · lgebhardt · commit a4f8588f61c2 · 2016-05-12T10:19:45.000-04:00
Ensure media type of Accept header is valid according to the JSON API spec
diff --git a/README.md b/README.md
@@ -1355,6 +1355,7 @@ module JSONAPI
   SAVE_FAILED = '121'
   FORBIDDEN = '403'
   RECORD_NOT_FOUND = '404'
+  NOT_ACCEPTABLE = '406'
   UNSUPPORTED_MEDIA_TYPE = '415'
   LOCKED = '423'
 end
diff --git a/lib/jsonapi/acts_as_resource_controller.rb b/lib/jsonapi/acts_as_resource_controller.rb
@@ -2,10 +2,13 @@
 
 module JSONAPI
   module ActsAsResourceController
+    MEDIA_TYPE_MATCHER = /(.+".+"[^,]*|[^,]+)/
+    ALL_MEDIA_TYPES = '*/*'
 
     def self.included(base)
       base.extend ClassMethods
       base.before_action :ensure_correct_media_type, only: [:create, :update, :create_relationship, :update_relationship]
+      base.before_action :ensure_valid_accept_media_type
       base.cattr_reader :server_error_callbacks
     end
 
@@ -99,6 +102,36 @@ def ensure_correct_media_type
       handle_exceptions(e)
     end
 
+    def ensure_valid_accept_media_type
+      if invalid_accept_media_type?
+        fail JSONAPI::Exceptions::NotAcceptableError.new(request.accept)
+      end
+    rescue => e
+      handle_exceptions(e)
+    end
+
+    def invalid_accept_media_type?
+      media_types = media_types_for('Accept')
+
+      return false if media_types.blank? || media_types.include?(ALL_MEDIA_TYPES)
+
+      jsonapi_media_types = media_types.select do |media_type|
+        media_type.include?(JSONAPI::MEDIA_TYPE)
+      end
+
+      jsonapi_media_types.size.zero? ||
+        jsonapi_media_types.none? do |media_type|
+          media_type == JSONAPI::MEDIA_TYPE
+        end
+    end
+
+    def media_types_for(header)
+      (request.headers[header] || '')
+        .match(MEDIA_TYPE_MATCHER)
+        .to_a
+        .map(&:strip)
+    end
+
     # override to set context
     def context
       {}
diff --git a/lib/jsonapi/error_codes.rb b/lib/jsonapi/error_codes.rb
@@ -22,6 +22,7 @@ module JSONAPI
   SAVE_FAILED = '121'
   FORBIDDEN = '403'
   RECORD_NOT_FOUND = '404'
+  NOT_ACCEPTABLE = '406'
   UNSUPPORTED_MEDIA_TYPE = '415'
   LOCKED = '423'
   INTERNAL_SERVER_ERROR = '500'
@@ -50,6 +51,7 @@ module JSONAPI
       SAVE_FAILED => 'SAVE_FAILED',
       FORBIDDEN => 'FORBIDDEN',
       RECORD_NOT_FOUND => 'RECORD_NOT_FOUND',
+      NOT_ACCEPTABLE => 'NOT_ACCEPTABLE',
       UNSUPPORTED_MEDIA_TYPE => 'UNSUPPORTED_MEDIA_TYPE',
       LOCKED => 'LOCKED',
       INTERNAL_SERVER_ERROR => 'INTERNAL_SERVER_ERROR'
diff --git a/lib/jsonapi/exceptions.rb b/lib/jsonapi/exceptions.rb
@@ -18,9 +18,9 @@ def errors
 
         [JSONAPI::Error.new(code: JSONAPI::INTERNAL_SERVER_ERROR,
                             status: :internal_server_error,
-                            title: I18n.t('jsonapi-resources.exceptions.internal_server_error.title', 
+                            title: I18n.t('jsonapi-resources.exceptions.internal_server_error.title',
                                           default: 'Internal Server Error'),
-                            detail: I18n.t('jsonapi-resources.exceptions.internal_server_error.detail', 
+                            detail: I18n.t('jsonapi-resources.exceptions.internal_server_error.detail',
                                            default: 'Internal Server Error'),
                             meta: meta)]
       end
@@ -35,9 +35,9 @@ def initialize(resource)
       def errors
         [JSONAPI::Error.new(code: JSONAPI::INVALID_RESOURCE,
                             status: :bad_request,
-                            title: I18n.t('jsonapi-resources.exceptions.invalid_resource.title', 
+                            title: I18n.t('jsonapi-resources.exceptions.invalid_resource.title',
                                           default: 'Invalid resource'),
-                            detail: I18n.t('jsonapi-resources.exceptions.invalid_resource.detail', 
+                            detail: I18n.t('jsonapi-resources.exceptions.invalid_resource.detail',
                                            default: "#{resource} is not a valid resource.", resource: resource))]
       end
     end
@@ -51,9 +51,9 @@ def initialize(id)
       def errors
         [JSONAPI::Error.new(code: JSONAPI::RECORD_NOT_FOUND,
                             status: :not_found,
-                            title: I18n.translate('jsonapi-resources.exceptions.record_not_found.title', 
+                            title: I18n.translate('jsonapi-resources.exceptions.record_not_found.title',
                                                   default: 'Record not found'),
-                            detail: I18n.translate('jsonapi-resources.exceptions.record_not_found.detail', 
+                            detail: I18n.translate('jsonapi-resources.exceptions.record_not_found.detail',
                                                    default: "The record identified by #{id} could not be found.", id: id))]
       end
     end
@@ -67,7 +67,7 @@ def initialize(media_type)
       def errors
         [JSONAPI::Error.new(code: JSONAPI::UNSUPPORTED_MEDIA_TYPE,
                             status: :unsupported_media_type,
-                            title: I18n.translate('jsonapi-resources.exceptions.unsupported_media_type.title', 
+                            title: I18n.translate('jsonapi-resources.exceptions.unsupported_media_type.title',
                                                   default: 'Unsupported media type'),
                             detail: I18n.translate('jsonapi-resources.exceptions.unsupported_media_type.detail',
                                                    default: "All requests that create or update must use the '#{JSONAPI::MEDIA_TYPE}' Content-Type. This request specified '#{media_type}'.",
@@ -76,6 +76,26 @@ def errors
       end
     end
 
+    class NotAcceptableError < Error
+      attr_accessor :media_type
+
+      def initialize(media_type)
+        @media_type = media_type
+      end
+
+      def errors
+        [JSONAPI::Error.new(code: JSONAPI::NOT_ACCEPTABLE,
+                            status: :not_acceptable,
+                            title: I18n.translate('jsonapi-resources.exceptions.not_acceptable.title',
+                                                  default: 'Not acceptable'),
+                            detail: I18n.translate('jsonapi-resources.exceptions.not_acceptable.detail',
+                                                   default: "All requests must use the '#{JSONAPI::MEDIA_TYPE}' Accept without media type parameters. This request specified '#{media_type}'.",
+                                                   needed_media_type: JSONAPI::MEDIA_TYPE,
+                                                   media_type: media_type))]
+      end
+    end
+
+
     class HasManyRelationExists < Error
       attr_accessor :id
       def initialize(id)
@@ -85,7 +105,7 @@ def initialize(id)
       def errors
         [JSONAPI::Error.new(code: JSONAPI::RELATION_EXISTS,
                             status: :bad_request,
-                            title: I18n.translate('jsonapi-resources.exceptions.has_many_relation.title', 
+                            title: I18n.translate('jsonapi-resources.exceptions.has_many_relation.title',
                                                   default: 'Relation exists'),
                             detail: I18n.translate('jsonapi-resources.exceptions.has_many_relation.detail',
                                                    default: "The relation to #{id} already exists.",
@@ -97,7 +117,7 @@ class ToManySetReplacementForbidden < Error
       def errors
         [JSONAPI::Error.new(code: JSONAPI::FORBIDDEN,
                             status: :forbidden,
-                            title: I18n.translate('jsonapi-resources.exceptions.to_many_set_replacement_forbidden.title', 
+                            title: I18n.translate('jsonapi-resources.exceptions.to_many_set_replacement_forbidden.title',
                                                   default: 'Complete replacement forbidden'),
                             detail: I18n.translate('jsonapi-resources.exceptions.to_many_set_replacement_forbidden.detail',
                                                    default: 'Complete replacement forbidden for this relationship'))]
diff --git a/locales/en.yml b/locales/en.yml
@@ -10,6 +10,9 @@ en:
       record_not_found:
         title: 'Record not found'
         detail: "The record identified by %{id} could not be found."
+      not_acceptable:
+        title: 'Not acceptable'
+        detail: "All requests must use the '%{needed_media_type}' Accept without media type parameters. This request specified '%{media_type}'."
       unsupported_media_type:
         title: 'Unsupported media type'
         detail: "All requests that create or update must use the '%{needed_media_type}' Content-Type. This request specified '%{media_type}.'"
diff --git a/test/controllers/controller_test.rb b/test/controllers/controller_test.rb
@@ -15,6 +15,56 @@ def test_index
     assert json_response['data'].is_a?(Array)
   end
 
+  def test_accept_header_missing
+    @request.headers['Accept'] = nil
+
+    get :index
+    assert_response :success
+  end
+
+  def test_accept_header_jsonapi_mixed
+    @request.headers['Accept'] =
+      "#{JSONAPI::MEDIA_TYPE},#{JSONAPI::MEDIA_TYPE};charset=test"
+
+    get :index
+    assert_response :success
+  end
+
+  def test_accept_header_jsonapi_modified
+    @request.headers['Accept'] = "#{JSONAPI::MEDIA_TYPE};charset=test"
+
+    get :index
+    assert_response 406
+    assert_equal 'Not acceptable', json_response['errors'][0]['title']
+    assert_equal "All requests must use the '#{JSONAPI::MEDIA_TYPE}' Accept without media type parameters. This request specified '#{@request.headers['Accept']}'.", json_response['errors'][0]['detail']
+  end
+
+  def test_accept_header_jsonapi_multiple_modified
+    @request.headers['Accept'] =
+      "#{JSONAPI::MEDIA_TYPE};charset=test,#{JSONAPI::MEDIA_TYPE};charset=test"
+
+    get :index
+    assert_response 406
+    assert_equal 'Not acceptable', json_response['errors'][0]['title']
+    assert_equal "All requests must use the '#{JSONAPI::MEDIA_TYPE}' Accept without media type parameters. This request specified '#{@request.headers['Accept']}'.", json_response['errors'][0]['detail']
+  end
+
+  def test_accept_header_all
+    @request.headers['Accept'] = "*/*"
+
+    get :index
+    assert_response :success
+  end
+
+  def test_accept_header_not_jsonapi
+    @request.headers['Accept'] = 'text/plain'
+
+    get :index
+    assert_response 406
+    assert_equal 'Not acceptable', json_response['errors'][0]['title']
+    assert_equal "All requests must use the '#{JSONAPI::MEDIA_TYPE}' Accept without media type parameters. This request specified '#{@request.headers['Accept']}'.", json_response['errors'][0]['detail']
+  end
+
   def test_exception_class_whitelist
     original_config = JSONAPI.configuration.dup
     JSONAPI.configuration.operations_processor = :error_raising
diff --git a/test/integration/requests/namespaced_model_test.rb b/test/integration/requests/namespaced_model_test.rb
@@ -6,7 +6,7 @@ def setup
   end
 
   def test_get_flat_posts
-    get '/flat_posts'
+    get '/flat_posts', headers: { 'Accept' => JSONAPI::MEDIA_TYPE }
     assert_equal 200, status
     assert_equal "flat_posts", json_response["data"].first["type"]
   end
diff --git a/test/integration/requests/request_test.rb b/test/integration/requests/request_test.rb
diff --git a/test/integration/sti_fields_test.rb b/test/integration/sti_fields_test.rb
diff --git a/test/unit/serializer/polymorphic_serializer_test.rb b/test/unit/serializer/polymorphic_serializer_test.rb
