From 85e376bffd85e4ec2f8a8d2c99eedf611be61085 Mon Sep 17 00:00:00 2001
From: dumbmoron <log@riseup.net>
Date: Wed, 24 Jul 2024 17:27:26 +0200
Subject: [PATCH] api: move accept header check into handler, simplify error
 handling (#614)

---
 src/core/api.js                    | 37 +++++++++++-------------------
 src/localization/languages/en.json |  3 ++-
 2 files changed, 15 insertions(+), 25 deletions(-)

diff --git a/src/core/api.js b/src/core/api.js
index 8eb4cb40..aaad0887 100644
--- a/src/core/api.js
+++ b/src/core/api.js
@@ -26,7 +26,7 @@ const corsConfig = env.corsWildcard ? {} : {
 export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
     const startTime = new Date();
     const startTimestamp = startTime.getTime();
-    
+
     const serverInfo = {
         version: version,
         commit: gitCommit,
@@ -81,38 +81,23 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
     app.use((req, res, next) => {
         try {
             decodeURIComponent(req.path)
-        } catch { 
+        } catch {
             return res.redirect('/')
         }
         next();
     })
 
-    app.use('/api/json', express.json({
-        verify: (req, res, buf) => {
-            if (String(req.header('Accept')) === "application/json") {
-                if (buf.length > 720) throw new Error();
-                JSON.parse(buf);
-            } else {
-                throw new Error();
-            }
-        }
-    }))
-
-    // handle express.json errors properly (https://github.com/expressjs/express/issues/4065)
-    app.use('/api/json', (err, req, res, next) => {
-        let errorText = "invalid json body";
-        const acceptHeader = String(req.header('Accept')) !== "application/json";
-
-        if (err || acceptHeader) {
-            if (acceptHeader) errorText = "invalid accept header";
+    app.use('/api/json', express.json({ limit: 1024 }));
+    app.use('/api/json', (err, _, res, next) => {
+        if (err) {
             return res.status(400).json({
                 status: "error",
-                text: errorText
+                text: "invalid json body"
             });
-        } else {
-            next();
         }
-    })
+
+        next();
+    });
 
     app.post('/api/json', async (req, res) => {
         const request = req.body;
@@ -123,6 +108,10 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
             res.status(status).json(body);
         }
 
+        if (!acceptRegex.test(req.header('Accept'))) {
+            return fail('ErrorInvalidAcceptHeader');
+        }
+
         if (!acceptRegex.test(req.header('Content-Type'))) {
             return fail('ErrorInvalidContentType');
         }
diff --git a/src/localization/languages/en.json b/src/localization/languages/en.json
index eecd9ac1..2b10f41d 100644
--- a/src/localization/languages/en.json
+++ b/src/localization/languages/en.json
@@ -159,6 +159,7 @@
         "UpdateOneMillion": "1 million users and blazing speed",
         "ErrorYTAgeRestrict": "this youtube video is age-restricted, so i can't see it. try another one!",
         "ErrorYTLogin": "couldn't get this youtube video because it requires an account to view.\n\nthis limitation is done by google to seemingly stop scraping, affecting all 3rd party tools and even their own clients.\n\ntry again, but if issue persists, {ContactLink}.",
-        "ErrorYTRateLimit": "i got rate limited by youtube. try again in a few seconds, but if issue persists, {ContactLink}."
+        "ErrorYTRateLimit": "i got rate limited by youtube. try again in a few seconds, but if issue persists, {ContactLink}.",
+        "ErrorInvalidAcceptHeader": "invalid accept header"
     }
 }