Serve provenance without requiring the Accept header

[simonw]

What's the problem this feature will solve?

When I visit this page in my browser:

https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance

I get this:

{"message":"Request not acceptable"}

To see the content of that page I have to send an accept header like this:

curl -s \
  -H 'accept: application/vnd.pypi.integrity.v1+json' https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance \
  | jq

Describe the solution you'd like

I'd prefer it if the page served me JSON without me having to send that accept header. That way I could explore and understand the API without needing to fire up a terminal or a custom HTTP client.

Additional context

Here's the implementation:

warehouse/warehouse/api/integrity.py

Lines 62 to 67 in 06a2b58

	def provenance_for_file(file: File, request: Request):
	# Determine our response content-type. For the time being, only the JSON
	# type is accepted.
	request.response.content_type = _select_content_type(request)
	if request.response.content_type != MIME_PYPI_INTEGRITY_V1_JSON:
	return HTTPNotAcceptable(json={"message": "Request not acceptable"})

[simonw]

This is covered by the documentation here (I didn't think to look so I dug around in the source code instead): https://docs.pypi.org/api/integrity/#get-provenance-for-file

Although the docs say:

Example JSON request (default if no Accept header is passed)

Which I think is incorrect documentation - you have to pass the Accept header to see the format shown in that example.

[di]

Your browser is almost certainly sending Accept: text/html or something similar, which is not a bare Accept header. A bare Accept header correctly returns a JSON response:

$ curl -s 
    -H 'accept:' https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance
    | jq

{
  "attestation_bundles": [
    {
       ...

[simonw]

Running curl without sending -H 'accept:' works too:

curl -s https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance

Not great from a developer experience / usability POV though, since I do a lot of my API research these days on a phone with Mobile Safari!

[di]

Running curl without sending -H 'accept:' works too:

That's because by default curl accepts any content type (*/*).

Not great from a developer experience / usability POV though, since I do a lot of my API research these days on a phone with Mobile Safari!

The issue is that we want to respect the Accept header we are being sent: if your browser is indicating that it does not accept application/json for the request, then we don't want to send it application/json.