jwt_auth plugin extractCredentials: check request content-type (#1728)

Only look for credentials in JSON requests
plone · Nov 2, 2023 · 3b4c810 · 3b4c810
1 parent c43fd4f
commit 3b4c810
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/news/1728.bugfix b/news/1728.bugfix
@@ -0,0 +1 @@
+Fix jwt_auth extractCredentials plugin to only try to read credentials from the request body if there is a `Content-Type: application/json` header. @davisagli
diff --git a/src/plone/restapi/pas/plugin.py b/src/plone/restapi/pas/plugin.py
@@ -96,13 +96,14 @@ def extractCredentials(self, request):
         # Prefer any credentials in a JSON POST request under the assumption that any
         # such requested sent when a JWT token is already in the `Authorization` header
         # is intended to change or update the logged in user.
-        try:
-            creds = deserializer.json_body(request)
-        except exceptions.DeserializationError:
-            pass
-        else:
-            if "login" in creds and "password" in creds:
-                return creds
+        if request.getHeader("Content-Type") == "application/json":
+            try:
+                creds = deserializer.json_body(request)
+            except exceptions.DeserializationError:
+                pass
+            else:
+                if "login" in creds and "password" in creds:
+                    return creds
 
         creds = {}
         auth = request._auth