Enforce JSON Content-Type on mutating requests

[mikewheeleer]

Reject non-JSON Content-Type on write requests

Description

src/index.ts mounts express.json({ limit: "100kb" }), which only parses bodies whose Content-Type is JSON and otherwise leaves req.body undefined. A POST /api/v1/pairs sent as text/plain or application/x-www-form-urlencoded therefore arrives with no parsed body and falls through the handlers' req.body ?? {} guards, producing confusing 400 invalid_request messages rather than a clear content-type rejection. This issue adds an explicit 415 unsupported_media_type guard for mutating methods.

Requirements and context

• Repository scope: StableRoute-Org/Stableroute-backend only.
• Add a middleware that, for requests with a body-bearing method (POST, PATCH, PUT) that include a payload, requires a Content-Type of application/json (allowing charset parameters).
• Respond 415 unsupported_media_type with the canonical { error, message, requestId } body when the type is missing or wrong.
• Skip the check for GET/HEAD/DELETE/OPTIONS and for empty bodies.
• Place the middleware after request-id assignment so the requestId is present in the error body, and before the route handlers.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/request-validation-28-content-type
• Implement changes
  • Write code in: src/index.ts — add the content-type guard middleware.
  • Write comprehensive tests in: src/__tests__/index.test.ts — POST a pair with text/plain (415), with application/json (works), and a bodyless DELETE (unaffected).
  • Add documentation: note the content-type requirement in README.md.
  • Add TSDoc on the middleware.
  • Validate security: ensure a forged Content-Type cannot bypass the body-size limit or smuggle an unparsed body into a handler.
• Test and commit

Test and commit

• Run npm run build, npm run lint, and npm test.
• Cover edge cases: missing content-type, wrong content-type, JSON with charset, empty body.
• Paste the full npm test output in the PR.

Example commit message

feat(security): enforce application/json content-type on writes

Guidelines

• Minimum 95 percent test coverage for impacted code.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.