fix: Frontend requests do not send Content-Type header in request (#9956)

* Revert "Revert "fix: Frontend requests do not send Content-Type in request (#…"

This reverts commit 7fddd99c28.

* Update authentication.ts

app/utils/ApiClient.ts

@@ -75,17 +75,18 @@ class ApiClient {
     } else if (method === "POST" || method === "PUT") {
       if (data instanceof FormData || typeof data === "string") {
         body = data;
-      }
-
-      // Only stringify data if its a normal object and
-      // not if it's [object FormData], in addition to
-      // toggling Content-Type to application/json
-      if (
-        typeof data === "object" &&
-        (data || "").toString() === "[object Object]"
-      ) {
+      } else {
         isJson = true;
-        body = JSON.stringify(data);
+
+        // Only stringify data if its a normal object and
+        // not if it's [object FormData], in addition to
+        // toggling Content-Type to application/json
+        if (
+          typeof data === "object" &&
+          (data || "").toString() === "[object Object]"
+        ) {
+          body = JSON.stringify(data);
+        }
       }
     }
 

plugins/storage/server/api/files.ts

@@ -28,7 +28,7 @@ const router = new Router();
 router.post(
   "files.create",
   rateLimiter(RateLimiterStrategy.TenPerMinute),
-  auth(),
+  auth({ allowMultipart: true }),
   validate(T.FilesCreateSchema),
   multipart({
     maximumFileSize: Math.max(

server/middlewares/authentication.ts

@@ -23,6 +23,12 @@ type AuthenticationOptions = {
   type?: AuthenticationType | AuthenticationType[];
   /** Authentication is parsed, but optional. */
   optional?: boolean;
+  /**
+   * Allow multipart requests with cookie authentication, otherwise
+   * the request will fail if the content type is not application/json.
+   * This is useful for file uploads where the cookie is used to authenticate.
+   */
+  allowMultipart?: boolean;
 };
 
 export default function auth(options: AuthenticationOptions = {}) {
@@ -55,6 +61,18 @@ export default function auth(options: AuthenticationOptions = {}) {
       token = ctx.request.query.token;
     } else {
       token = ctx.cookies.get("accessToken");
+
+      // check if the request is application/json encoded
+      // TODO: Enable once clients have updated
+      // if (
+      //   token &&
+      //   !ctx.request.is("application/json") &&
+      //   !options.allowMultipart
+      // ) {
+      //   throw AuthenticationError(
+      //     "Mismatched content type. Expected application/json"
+      //   );
+      // }
     }
 
     try {

server/routes/api/documents/documents.ts

@@ -1549,7 +1549,7 @@ router.post(
 
 router.post(
   "documents.import",
-  auth(),
+  auth({ allowMultipart: true }),
   rateLimiter(RateLimiterStrategy.TwentyFivePerMinute),
   validate(T.DocumentsImportSchema),
   multipart({ maximumFileSize: env.FILE_STORAGE_IMPORT_MAX_SIZE }),

server/routes/auth/index.ts

@@ -75,11 +75,7 @@ router.get("/redirect", authMiddleware(), async (ctx: APIContext) => {
   );
 });
 
-app.use(
-  bodyParser({
-    multipart: true,
-  })
-);
+app.use(bodyParser());
 app.use(coalesceBody());
 app.use(router.routes());