Merge pull request #2538 from loopholelabs/2537-fix-json-response

Device Code Flow does not return application/json in Content-Type header

server/deviceflowhandlers.go

@@ -141,6 +141,10 @@ func (s *Server) handleDeviceCode(w http.ResponseWriter, r *http.Request) {
 		// https://tools.ietf.org/html/rfc8628#section-3.2
 		w.Header().Set("Cache-Control", "no-store")
 
+		// Response type should be application/json according to
+		// https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+		w.Header().Set("Content-Type", "application/json")
+
 		enc := json.NewEncoder(w)
 		enc.SetEscapeHTML(false)
 		enc.SetIndent("", "   ")

server/deviceflowhandlers_test.go

@@ -52,6 +52,7 @@ func TestHandleDeviceCode(t *testing.T) {
 		requestType            string
 		scopes                 []string
 		expectedResponseCode   int
+		expectedContentType    string
 		expectedServerResponse string
 	}{
 		{
@@ -60,6 +61,7 @@ func TestHandleDeviceCode(t *testing.T) {
 			requestType:          "POST",
 			scopes:               []string{"openid", "profile", "email"},
 			expectedResponseCode: http.StatusOK,
+			expectedContentType:  "application/json",
 		},
 		{
 			testName:             "Invalid request Type (GET)",
@@ -67,6 +69,7 @@ func TestHandleDeviceCode(t *testing.T) {
 			requestType:          "GET",
 			scopes:               []string{"openid", "profile", "email"},
 			expectedResponseCode: http.StatusBadRequest,
+			expectedContentType:  "application/json",
 		},
 	}
 	for _, tc := range tests {
@@ -101,6 +104,10 @@ func TestHandleDeviceCode(t *testing.T) {
 				t.Errorf("Unexpected Response Type.  Expected %v got %v", tc.expectedResponseCode, rr.Code)
 			}
 
+			if rr.Header().Get("content-type") != tc.expectedContentType {
+				t.Errorf("Unexpected Response Content Type.  Expected %v got %v", tc.expectedContentType, rr.Header().Get("content-type"))
+			}
+
 			body, err := io.ReadAll(rr.Body)
 			if err != nil {
 				t.Errorf("Could read token response %v", err)