From f94f37507d00e983174b6b3bd958d1f3f3d71df4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Erbsh=C3=A4u=C3=9Fer?= <tobias@tesoft.dev>
Date: Sun, 24 May 2026 09:22:25 +0200
Subject: [PATCH] check content-type in login endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Tobias Erbshäußer <tobias@tesoft.dev>
---
 backend/api.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/backend/api.go b/backend/api.go
index eeaa1f1..d9d73c3 100644
--- a/backend/api.go
+++ b/backend/api.go
@@ -17,8 +17,15 @@ type ApiHandler struct {
 
 const authTokenCookieName = "auth-token"
 const isAuthorizedContextKey = "is-authorized"
+const contentTypeHeaderKey = "Content-Type"
+const JsonMimeType = "application/json"
 
 func (h *ApiHandler) ServeLoginPost(writer http.ResponseWriter, request *http.Request) {
+	if !HasContentType(request, JsonMimeType) {
+		WriteError(writer, http.StatusBadRequest, "expected json body", nil)
+		return
+	}
+
 	bodyReader := request.Body
 	body, err := io.ReadAll(bodyReader)
 	_ = bodyReader.Close()
@@ -108,7 +115,7 @@ func IsAuthorized(request *http.Request) bool {
 }
 
 func WriteResponse(writer http.ResponseWriter, code int, body any) {
-	writer.Header().Set("Content-Type", "application/json")
+	writer.Header().Set(contentTypeHeaderKey, "application/json")
 	writer.WriteHeader(code)
 	_ = json.NewEncoder(writer).Encode(body)
 }
@@ -122,3 +129,8 @@ func WriteError(writer http.ResponseWriter, code int, message string, err error)
 		"message": message,
 	})
 }
+
+func HasContentType(request *http.Request, mimeType string) bool {
+	contentType := request.Header.Get(contentTypeHeaderKey)
+	return contentType == mimeType
+}