From 5dedecb2f34172c6be3a508d6a4360845579a293 Mon Sep 17 00:00:00 2001
From: Michael McAndrew <michaelmcandrew@thirdsectordesign.org>
Date: Mon, 12 Mar 2018 09:50:03 +0000
Subject: [PATCH] Add checks for supported content types

---
 proxy/callback.functions.php | 3 +++
 proxy/callback.php           | 9 ++++++---
 proxy/config.php             | 1 +
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/proxy/callback.functions.php b/proxy/callback.functions.php
index f25a604..47790b3 100644
--- a/proxy/callback.functions.php
+++ b/proxy/callback.functions.php
@@ -33,6 +33,9 @@ function civiproxy_callback_validate_body_xwwwformurlencoded($expected, $actual)
   //TODO
 }
 
+// For now, I have written this 'placeholder' method to pass on post requests.
+// Sparkpost says that it works OK. Might be a good idea to refactor/improve
+// civiproxy_redirect() instead/as well.
 function civiproxy_callback_redirect($target_path, $method) {
   switch ($method) {
     case 'POST':
diff --git a/proxy/callback.php b/proxy/callback.php
index c3d48ed..a8b2fd9 100644
--- a/proxy/callback.php
+++ b/proxy/callback.php
@@ -43,6 +43,7 @@ if(!isset($query_params['secret']) || $definition['secret'] !== $query_params['s
   civiproxy_http_error("Invalid secret", 403);
 }
 
+// Check this is a supported request method
 if(!in_array($_SERVER['REQUEST_METHOD'], ['POST'])){
   civiproxy_http_error("Unsupported request method", 501);
 }
@@ -52,6 +53,11 @@ if(isset($definition['request_method'])){
   civiproxy_callback_validate_request_method($definition['request_method'], $_SERVER['REQUEST_METHOD']);
 }
 
+// Check this is a supported content type
+if(!in_array($_SERVER['CONTENT_TYPE'], ['application/json', 'application/x-www-form-urlencoded'])){
+  civiproxy_http_error("Unsupported content type", 501);
+}
+
 // If a content type has been defined, validate it
 if(isset($definition['content_type'])){
   civiproxy_callback_validate_content_type($definition['content_type'], $_SERVER['CONTENT_TYPE']);
@@ -63,7 +69,4 @@ if(isset($validator['body'])){
 }
 
 // We have passed all the validators, forward the request
-
-// TODO for now, I have written my own method to pass on post requests. Would be
-// better to refactor / improve civiproxy_redirect()
 civiproxy_callback_redirect($definition['target_path'], $_SERVER['REQUEST_METHOD']);
diff --git a/proxy/config.php b/proxy/config.php
index ea0e4f8..35413b0 100644
--- a/proxy/config.php
+++ b/proxy/config.php
@@ -124,6 +124,7 @@ $callbacks = [
   'sparkpost' => [
     // 'secret' => '',
     'request_method' => 'POST',
+    'content_type' => 'application/json',
     'target_path' => 'civicrm/sparkpost/callback'
   ]
 ];