jwt_auth plugin extractCredentials: check request content-type

[davisagli]

Alternative to #1726

We should only try to parse the request body as JSON if there's a request header saying it's JSON.

[netlify[bot]]

✅ Deploy Preview for plone-restapi canceled.

Name	Link
🔨 Latest commit	f21126438286aada268ffe2d45f687dad0590cee
🔍 Latest deploy log	https://app.netlify.com/sites/plone-restapi/deploys/654162942888b40008785ce9

[mister-roboto]

@davisagli thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

[davisagli]

@jenkins-plone-org please run jobs

[mauritsvanrees]

For the record, I confirm that with this PR a POST to the @login endpoint still works, regardless of whether you set a Content-Type header or not, as long as you either set an Accept header or use the ++api++ namespace.

[davisagli]

@mauritsvanrees The Accept header doesn't sound relevant to me. That tells the server what content-type the client hopes to receive in the response, not what content-type it is sending in the request.

I confirmed that uploading large files in Volto still triggers the error, but that's expected. I guess we can catch BadRequest here, but I think that just hides the problem.

To really fix it for Volto, we need to:

• make plone.restapi support multipart/form-data, like Dieter suggested
• OR improve plone.restapi's TUS upload endpoint to work without sharing a filesystem between instances
• make volto send uploads in the new format

I think this is a good path forward but it's not going to happen overnight.

[mauritsvanrees]

This is good to go, I merge. Would be good to have this in a release soon. I may do that today, unless @tisto or @davisagli is earlier.

[mauritsvanrees]

Before release, please approve and merge PR #1729.