Validate Content-Type Header for api/users

The content-type of Hub API requests used for user management, specifically for creating a user is not validated and so the ‘text/plain’ type is accepted, where it must be ‘application/json’. This commit adds validation for `Content-type` header for the /hub/api/users endpoint to only allow requests with content-type as `application/json`
2025-10-17 15:03:02 +00:00 · 2021-08-12 09:17:47 -04:00
parent 59b2581370
commit e59556f020
2 changed files with 14 additions and 0 deletions
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -409,6 +409,10 @@ async def test_add_multi_user_bad(app):
    assert r.status_code == 400
    r = await api_request(app, 'users', method='post', data='[]')
    assert r.status_code == 400
+    r = await api_request(
+        app, 'users', method='post', data='{}', headers={"Content-Type": "text/plain"}
+    )
+    assert r.status_code == 403


@mark.user