Handle Bad Content-Type Headers RESTfully

[thehabes]

Closes #30

Summary

Bad or missing Content-Type headers were causing unexpected 500 errors from TinyPEN. This PR adds proper RESTful Content-Type validation and improves error handling across all route handlers.

Changes

Content-Type Validation Middleware (rest.js, app.js)

• New verifyJsonContentType middleware in rest.js runs before route handlers on body-carrying methods (POST, PUT)
• Returns 415 for missing, blank, duplicate, or unsupported Content-Type headers — Content-Type is a singleton field per RFC 9110 §8.3, so only application/json and application/ld+json are accepted
• Detects smuggled MIME types within a single Content-Type header value (e.g., application/json, text/plain)
• Handles case-insensitive matching and parameters (e.g., ; charset=utf-8)
• Scoped express.json() parser to only accept application/json and application/ld+json
• Removed express.text() and express.urlencoded() parsers since only JSON types are valid

DELETE Route Cleanup (routes/delete.js)

• Removed legacy body-based DELETE / handler — DELETE requests should not carry a body per HTTP semantics
• Kept only the param-based DELETE /:id handler
• Added checkAccessToken middleware to the remaining handler (was missing)
• Added Origin header to RERUM forwarding (was missing)
• Returns 204 with no body on success, matching REST conventions

Improved RERUM Error Forwarding (all route handlers)

• All routes now check response.ok before attempting to parse RERUM responses
• Non-OK RERUM responses are relayed with their original status code and message in the body. RERUM errors are all interpreted as a 502 when coming out of the app. This matches was TPEN Services does, and TPEN Services should have an easier time processing databaseTiny errors with consistency.
• Error responses include text/plain content type for consistency
• Added logging for RERUM-side errors via console.error

Overwrite Route Simplification (routes/overwrite.js)

• Replaced .then().catch() promise chain with cleaner if (!response.ok) pattern
• Removed res.headersSent guard that was masking control flow
• Properly passes through 409 conflict responses for optimistic locking

Dead Code Removal

• Removed routes/index.js — was imported but never mounted in the app
• Removed unused indexRouter import from app.js

Validation Improvements (routes/update.js, routes/overwrite.js)

• Missing record ID now returns 400 instead of 500

Related

• RERUM fix: Handle Bad Content-Type Headers RESTfully rerum_server_nodejs#255

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.