From d9afd1da4f7373bb000ec81dfd3dd00c0fd7a6a4 Mon Sep 17 00:00:00 2001
From: Jay Doane <jaydoane@apache.org>
Date: Thu, 1 Sep 2022 13:38:44 -0700
Subject: Maybe return bad_content_type on _session POST

Currently, when POSTing to `/_session` with a Content-Type header
other than either `application/x-www-form-urlencoded` or
`application/json`, the error response can be surprising.

This changes the response to 415 `bad_content_type` when it's not one
of the above.
---
 src/couch/src/couch_httpd_auth.erl          |  8 +++++++-
 src/couch/test/eunit/couchdb_auth_tests.erl | 15 +++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index cc02a1e9d..c30854986 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -459,7 +459,13 @@ handle_session_req(#httpd{method = 'POST', mochi_req = MochiReq} = Req, AuthModu
                     Pairs
                 );
             _ ->
-                []
+                throw(
+                    {bad_ctype, <<
+                        "Content-Type must be "
+                        "'application/x-www-form-urlencoded' or "
+                        "'application/json'"
+                    >>}
+                )
         end,
     UserName = ?l2b(extract_username(Form)),
     Password = ?l2b(couch_util:get_value("password", Form, "")),
diff --git a/src/couch/test/eunit/couchdb_auth_tests.erl b/src/couch/test/eunit/couchdb_auth_tests.erl
index dfb22dc25..bc5caabe5 100644
--- a/src/couch/test/eunit/couchdb_auth_tests.erl
+++ b/src/couch/test/eunit/couchdb_auth_tests.erl
@@ -34,6 +34,7 @@ auth_test_() ->
     Tests = [
         fun should_return_username_on_post_to_session/2,
         fun should_not_return_authenticated_field/2,
+        fun should_return_bad_content_type_appropriately/2,
         fun should_return_list_of_handlers/2
     ],
     RequireValidUserTests = [
@@ -85,6 +86,20 @@ should_return_username_on_post_to_session(_PortType, Url) ->
         end
     ).
 
+should_return_bad_content_type_appropriately(_PortType, Url) ->
+    ?_assertEqual(
+        <<"bad_content_type">>,
+        begin
+            {ok, 415, _, Body} = test_request:post(
+                Url,
+                [{"Content-Type", ""}],
+                []
+            ),
+            #{<<"error">> := Error} = jiffy:decode(Body, [return_maps]),
+            Error
+        end
+    ).
+
 should_not_return_authenticated_field(_PortType, Url) ->
     ?_assertThrow(
         {not_found, _},
-- 
cgit v1.2.1