Add type check on body when POSTing

nonword · nonword · commit 2c80b79b9821 · 2018-10-19T11:02:26.000-04:00
Add a check on the typeof the body (e.g. when POSTing) to prevent the
client from sending plaintext when `options.json === true`. This is
added to avoid the situation where integrating code attempts to POST
stringified json, which will likely be rejected by the endpoint (because
the payload will appear as plaintext but the `Content-Type` header will
declare 'application/json'.

Also adds tests to confirm plaintext bodies throw errors (but null
payloads are accepted).
diff --git a/README.md b/README.md
@@ -67,7 +67,7 @@ client.get('patrons/12345678').then((resp) => {
 
 To POST a new "TestSchema" schema:
 ```js
-client.post('schemas/TestSchema', '{ "name": "TestSchema", "type": "record", "fields": [ ... ] }')
+client.post('schemas/TestSchema', { name: "TestSchema", type: "record", fields: [ ... ] })
   .then((resp) => {
     if (JSON.parse(resp).data.stream !== 'TestSchema') throw Error('Error creating schema...')
   })
diff --git a/lib/client.js b/lib/client.js
@@ -192,6 +192,11 @@ class Client {
     // Disallow caching anything but GET:
     if (method !== 'GET') options.cache = false
 
+    // Disallow non-object body if json enabled:
+    if (options.json && options.body && (typeof options.body) !== 'object') {
+      return Promise.reject(new Error(`Attempted to ${method} with options.json==true, but body is a ${typeof options.body}`))
+    }
+
     var uri = this._getFullUrl(path)
     var cacheKey = `${method} ${uri}`
 
diff --git a/test/post-test.js b/test/post-test.js
@@ -28,6 +28,17 @@ describe('Client POST method', function () {
           expect(resp).to.be.a('object')
         })
     })
+
+    it('should fail if supplied body is plaintext', function () {
+      let call = client.post(`schemas/${testSchema.name}`, JSON.stringify(testSchema))
+      return expect(call).to.be.rejected
+    })
+
+    // A null/empty body should be accepted as valid if options.json===true
+    it('should succeed if supplied body is empty', function () {
+      let call = client.post(`schemas/${testSchema.name}`)
+      return expect(call).to.be.fulfilled
+    })
   })
 
   describe('when config.json=false', function () {
