Restored (X)HTML workaround in the proxy filter

Author: namedgraph

http-tests/proxy/GET-proxied-external-xhtml-406.sh

@@ -84,13 +84,14 @@
  * ACL is not checked for proxy requests: the proxy is a global transport function, not a document
  * operation. Access control is enforced by the target endpoint.
  * <p>
- * This filter rejects with {@link jakarta.ws.rs.NotAcceptableException} any request for which
- * content negotiation selects an (X)HTML variant. Rendering arbitrary external URIs as (X)HTML
- * through the full server-side pipeline (SPARQL DESCRIBE + XSLT) for every browser-originated
- * proxy request would cause unbounded resource exhaustion — a connection-pool and CPU amplification
- * attack vector. Browsers receive the LDH application shell from the downstream handler instead;
- * the client-side Saxon-JS layer then issues a second, RDF-typed request that hits this filter and
- * is proxied cheaply.
+ * This filter does <em>not</em> proxy requests from clients that explicitly accept (X)HTML.
+ * Rendering arbitrary external URIs as (X)HTML through the full server-side pipeline
+ * (SPARQL DESCRIBE + XSLT) is expensive and creates a resource-exhaustion attack vector.
+ * When the {@code Accept} header contains a non-wildcard {@code text/html} or
+ * {@code application/xhtml+xml} type, the filter returns immediately so the downstream handler
+ * serves the LDH application shell; the client-side Saxon-JS layer then issues a second, RDF-typed
+ * request that hits this filter and is proxied cheaply. Pure API clients that send only
+ * {@code *}{@code /*} (e.g. curl) reach the proxy because they do not list an explicit HTML type.
  *
  * @author Martynas Jusevičius {@literal <martynas@atomgraph.com>}
  */
@@ -115,20 +116,30 @@ public void filter(ContainerRequestContext requestContext) throws IOException
 
         URI targetURI = targetOpt.get();
 
-        // negotiate the response format from RDF/SPARQL writable types
+        // do not proxy requests from clients that explicitly accept (X)HTML — they expect the app
+        // shell, which the downstream handler serves. Browsers list text/html as a non-wildcard type;
+        // pure API clients (curl etc.) send only */* and must reach the proxy.
+        // (X)HTML is not offered for proxied documents — rendering external RDF as HTML server-side
+        // (SPARQL DESCRIBE + XSLT) is expensive and creates a resource-exhaustion attack vector
+        boolean clientAcceptsHtml = requestContext.getAcceptableMediaTypes().stream()
+            .anyMatch(mt -> !mt.isWildcardType() && !mt.isWildcardSubtype() &&
+                      (mt.isCompatible(MediaType.TEXT_HTML_TYPE) ||
+                       mt.isCompatible(MediaType.APPLICATION_XHTML_XML_TYPE)));
+        if (clientAcceptsHtml) return;
+
+        // negotiate the response format from RDF/SPARQL writable types only
+        // (client.MediaTypes prepends HTML/XHTML; strip them so selectVariant cannot pick them)
         List<MediaType> writableTypes = new ArrayList<>(getMediaTypes().getWritable(Model.class));
         writableTypes.addAll(getMediaTypes().getWritable(ResultSet.class));
+        writableTypes.removeIf(mt -> mt.isCompatible(MediaType.TEXT_HTML_TYPE) ||
+            mt.isCompatible(MediaType.APPLICATION_XHTML_XML_TYPE));
         List<Variant> variants = com.atomgraph.core.model.impl.Response.getVariants(
             writableTypes,
             getSystem().getSupportedLanguages(),
             new ArrayList<>());
-        
+
         Variant variant = getRequest().selectVariant(variants);
-        // (X)HTML is not offered for proxied documents — rendering external RDF as HTML server-side
-        // (SPARQL DESCRIBE + XSLT) is expensive and creates a resource-exhaustion attack vector
-        if (variant == null ||
-            variant.getMediaType().isCompatible(MediaType.TEXT_HTML_TYPE) ||
-            variant.getMediaType().isCompatible(MediaType.APPLICATION_XHTML_XML_TYPE))
+        if (variant == null)
         {
             if (log.isTraceEnabled()) log.trace("Requested Variant {} is not on the list of acceptable Response Variants: {}", variant, variants);
             throw new NotAcceptableException();

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/ProxyRequestFilter.java

@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.Collections;
+import java.util.List;
 import java.util.Locale;
 import org.junit.Before;
 import org.junit.Test;
@@ -64,41 +65,46 @@ public void setUp()
     @Test
     public void testNonProxyRequestSkipsFilter() throws IOException
     {
-        // getProperty returns null by default; resolveTargetURI returns empty → filter exits immediately
         filter.filter(requestContext);
         verify(request, never()).selectVariant(anyList());
         verify(requestContext, never()).abortWith(any());
     }
 
-    /** No acceptable RDF/SPARQL variant — filter must throw 406. */
-    @Test(expected = NotAcceptableException.class)
-    public void testNullVariantThrowsNotAcceptable() throws IOException
+    /** Client explicitly accepts text/html — filter must return early (app shell). */
+    @Test
+    public void testHtmlAcceptReturnsEarly() throws IOException
     {
         when(requestContext.getProperty(AC.uri.getURI()))
             .thenReturn(URI.create("http://example.org/resource"));
-        when(request.selectVariant(anyList())).thenReturn(null);
+        when(requestContext.getAcceptableMediaTypes())
+            .thenReturn(List.of(MediaType.TEXT_HTML_TYPE));
         filter.filter(requestContext);
+        verify(request, never()).selectVariant(anyList());
+        verify(requestContext, never()).abortWith(any());
     }
 
-    /** text/html selected as best variant — filter must throw 406. */
-    @Test(expected = NotAcceptableException.class)
-    public void testHtmlVariantThrowsNotAcceptable() throws IOException
+    /** Client explicitly accepts application/xhtml+xml — filter must return early (app shell). */
+    @Test
+    public void testXhtmlAcceptReturnsEarly() throws IOException
     {
         when(requestContext.getProperty(AC.uri.getURI()))
             .thenReturn(URI.create("http://example.org/resource"));
-        when(request.selectVariant(anyList()))
-            .thenReturn(new Variant(MediaType.TEXT_HTML_TYPE, (Locale) null, null));
+        when(requestContext.getAcceptableMediaTypes())
+            .thenReturn(List.of(MediaType.APPLICATION_XHTML_XML_TYPE));
         filter.filter(requestContext);
+        verify(request, never()).selectVariant(anyList());
+        verify(requestContext, never()).abortWith(any());
     }
 
-    /** application/xhtml+xml selected as best variant — filter must throw 406. */
+    /** No acceptable RDF/SPARQL variant — filter must throw 406. */
     @Test(expected = NotAcceptableException.class)
-    public void testXhtmlVariantThrowsNotAcceptable() throws IOException
+    public void testNullVariantThrowsNotAcceptable() throws IOException
     {
         when(requestContext.getProperty(AC.uri.getURI()))
             .thenReturn(URI.create("http://example.org/resource"));
-        when(request.selectVariant(anyList()))
-            .thenReturn(new Variant(MediaType.APPLICATION_XHTML_XML_TYPE, (Locale) null, null));
+        when(requestContext.getAcceptableMediaTypes())
+            .thenReturn(List.of(MediaType.WILDCARD_TYPE));
+        when(request.selectVariant(anyList())).thenReturn(null);
         filter.filter(requestContext);
     }