Add check when using another content type than application/x-www-form…

…-urlencoded and return a 415 http error

mod_authnz_jwt.c

@@ -693,6 +693,13 @@ static int auth_jwt_login_handler(request_rec *r){
 	 	return HTTP_METHOD_NOT_ALLOWED;
  	}
 
+        const char* content_type = apr_table_get(r->headers_in, "Content-Type");
+        if(!content_type || strcmp(content_type, "application/x-www-form-urlencoded")!=0){
+            	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(55202)
+                                                        "auth_jwt authn: content type must be x-www-form-urlencoded");
+		return HTTP_UNSUPPORTED_MEDIA_TYPE;
+        }
+
  	apr_array_header_t *pairs = NULL;
  	res = ap_parse_form_data(r, NULL, &pairs, -1, FORM_SIZE);
  	if (res != OK) {

tests/test_auth_by_token.py

@@ -12,7 +12,7 @@ def test_login_with_urlencoded_should_success(self):
 
     def test_login_should_with_json_should_fail(self):
         code, content, headers = self.http_post(self.LOGIN_PATH, {self.USERNAME_FIELD:self.USERNAME, self.PASSWORD_FIELD:self.PASSWORD}, headers={"Content-Type":"application/json"})
-        self.assertEqual(code, 401)
+        self.assertEqual(code, 415)
 
     @TestJWT.with_all_algorithms()
     def test_malformed_token_should_fail(self, alg, key, secured_url):

tests/test_jwt.py

@@ -67,6 +67,8 @@ def http_get(self, url, token=None):
     def http_post(self, url, data, token=None, headers=None):
         if headers is None:
             headers = {}
+        if "Content-Type" not in headers:
+            headers["Content-Type"] = "application/x-www-form-urlencoded"
         if "Authorization" not in headers and token is not None:
             headers["Authorization"] = "Bearer %s" % token
         r = requests.post(url, data=data, headers=headers)