[Bugfix] Ensure application/json is not acceptable media type

Closes #184

Author: lindyhopchris

CHANGELOG.md

@@ -7,10 +7,16 @@ All notable changes to this project will be documented in this file. This projec
 
 ### Added
 
-- The `JsonApiException` class now has a `context()` method. Laravel's exception handler uses this to add log context if
-  the exception is being logged. This means logging of JSON:API exceptions will now include the HTTP status code and the
+- The `JsonApiException` class now has a `context()` method. Laravel's exception handler uses this to add log context
+  when the exception is logged. This means logging of JSON:API exceptions will now include the HTTP status code and the
   JSON:API errors.
 
+### Fixed
+
+- [#184](https://github.com/laravel-json-api/laravel/issues/184) Ensure that an `Accept` header with the media type
+  `application/json` is rejected with a `406 Not Acceptable` response. Previously this media type worked, which is
+  incorrect as the JSON:API specification requires the media type `application/vnd.api+json`.
+
 ## [2.3.0] - 2022-04-11
 
 ### Added

src/Http/Requests/ResourceQuery.php

@@ -48,11 +48,11 @@ class ResourceQuery extends FormRequest implements QueryParameters
     private static $queryOneResolver;
 
     /**
+     * The media types the resource accepts, in addition to JSON:API.
+     *
      * @var string[]
      */
-    protected array $mediaTypes = [
-        self::JSON_API_MEDIA_TYPE,
-    ];
+    protected array $mediaTypes = [];
 
     /**
      * The include paths to use if the client provides none.
@@ -304,10 +304,24 @@ protected function failedValidation(Validator $validator)
      */
     protected function isAcceptableMediaType(): bool
     {
+        /**
+         * We expect the JSON:API media type to exactly match.
+         */
+        foreach ($this->getAcceptableContentTypes() as $contentType) {
+            if (self::JSON_API_MEDIA_TYPE === $contentType) {
+                return true;
+            }
+        }
+
+        /**
+         * Otherwise we check if any additional media types match.
+         */
         return $this->accepts($this->mediaTypes());
     }
 
     /**
+     * Get the media types the resource accepts, in addition to JSON:API.
+     *
      * @return string[]
      */
     protected function mediaTypes(): array

tests/dummy/tests/Api/V1/Posts/AttachMediaTest.php

@@ -166,12 +166,17 @@ public function testForbidden(): void
         $this->assertDatabaseCount('post_video', 1);
     }
 
-    public function testNotAcceptableMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
         $response = $this
             ->actingAs($this->post->author)
             ->jsonApi('posts')
-            ->accept('text/html')
+            ->accept($mediaType)
             ->withData([])
             ->post(url('/api/v1/posts', [$this->post, 'relationships', 'media']));
 

tests/dummy/tests/Api/V1/Posts/AttachTagsTest.php

@@ -140,7 +140,12 @@ public function testForbidden(): void
         $this->assertDatabaseCount('taggables', 2);
     }
 
-    public function testNotAcceptableMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
         $tag = Tag::factory()->create();
 
@@ -154,7 +159,7 @@ public function testNotAcceptableMediaType(): void
         $response = $this
             ->actingAs($this->post->author)
             ->jsonApi('posts')
-            ->accept('text/html')
+            ->accept($mediaType)
             ->withData($data)
             ->post(url('/api/v1/posts', [$this->post, 'relationships', 'tags']));
 

tests/dummy/tests/Api/V1/Posts/CreateTest.php

@@ -162,15 +162,20 @@ public function testUnauthorized(): void
         $this->assertDatabaseCount('posts', 0);
     }
 
-    public function testNotAcceptableMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
         $post = Post::factory()->make();
         $data = $this->serialize($post);
 
         $response = $this
             ->actingAs($post->author)
             ->jsonApi('posts')
-            ->accept('text/html')
+            ->accept($mediaType)
             ->withData($data)
             ->post('/api/v1/posts');
 

tests/dummy/tests/Api/V1/Posts/DetachMediaTest.php

@@ -177,12 +177,17 @@ public function testForbidden(): void
         $this->assertDatabaseCount('post_video', $existingVideos->count());
     }
 
-    public function testNotAcceptableMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
         $response = $this
             ->actingAs($this->post->author)
             ->jsonApi('posts')
-            ->accept('text/html')
+            ->accept($mediaType)
             ->withData([])
             ->delete(url('/api/v1/posts', [$this->post, 'relationships', 'media']));
 

tests/dummy/tests/Api/V1/Posts/DetachTagsTest.php

@@ -143,7 +143,12 @@ public function testForbidden(): void
         $this->assertDatabaseCount('taggables', 2);
     }
 
-    public function testNotAcceptableMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
         $tag = Tag::factory()->create();
 
@@ -157,7 +162,7 @@ public function testNotAcceptableMediaType(): void
         $response = $this
             ->actingAs($this->post->author)
             ->jsonApi('posts')
-            ->accept('text/html')
+            ->accept($mediaType)
             ->withData($data)
             ->delete(url('/api/v1/posts', [$this->post, 'relationships', 'tags']));
 

tests/dummy/tests/Api/V1/Posts/IndexTest.php

@@ -326,10 +326,16 @@ public function testWithCount(): void
         $response->assertFetchedManyExact($expected);
     }
 
-    public function testInvalidMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
-        $this->jsonApi()
-            ->accept('text/html')
+        $this
+            ->jsonApi()
+            ->accept($mediaType)
             ->get('/api/v1/posts')
             ->assertStatus(406);
     }

tests/dummy/tests/Api/V1/Posts/ReadAuthorIdentifierTest.php

@@ -137,10 +137,16 @@ public function testDraftAsAuthor(): void
         );
     }
 
-    public function testInvalidMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
-        $this->jsonApi()
-            ->accept('text/html')
+        $this
+            ->jsonApi()
+            ->accept($mediaType)
             ->get(url('/api/v1/posts', [$this->post, 'relationships', 'author']))
             ->assertStatus(406);
     }

tests/dummy/tests/Api/V1/Posts/ReadAuthorTest.php

@@ -132,10 +132,16 @@ public function testDraftAsAuthor(): void
         $response->assertFetchedOneExact($expected);
     }
 
-    public function testInvalidMediaType(): void
+    /**
+     * @param string $mediaType
+     * @return void
+     * @dataProvider notAcceptableMediaTypeProvider
+     */
+    public function testNotAcceptableMediaType(string $mediaType): void
     {
-        $this->jsonApi()
-            ->accept('text/html')
+        $this
+            ->jsonApi()
+            ->accept($mediaType)
             ->get(url('/api/v1/posts', [$this->post, 'author']))
             ->assertStatus(406);
     }