Fix request body parsing when Content-Type header is missing

dahlia · dahlia · commit 04bf856671d9 · 2026-01-11T19:25:36.000+09:00
Some HTTP clients (like Lobsters' Sponge) don't set Content-Type header
for POST requests with form data. In this case, Hono's parseBody()
returns an empty object because it defaults to text/plain.

This fix manually parses the body as URL-encoded form data when
Content-Type is missing or set to text/plain.

Also adds comprehensive unit tests for requestBody() function.
diff --git a/src/helpers.test.ts b/src/helpers.test.ts
@@ -1,7 +1,217 @@
+import { Hono } from "hono";
 import { describe, expect, it } from "vitest";
-import { base64Url, randomBytes, URL_SAFE_REGEXP } from "./helpers";
+import { z } from "zod";
+import {
+  base64Url,
+  randomBytes,
+  requestBody,
+  URL_SAFE_REGEXP,
+} from "./helpers";
 
 describe("Helpers", () => {
+  describe("requestBody", () => {
+    const schema = z.object({
+      client_id: z.string(),
+      client_secret: z.string(),
+      grant_type: z.string().optional(),
+    });
+
+    it("parses application/json content type", async () => {
+      expect.assertions(1);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          client_id: "test-id",
+          client_secret: "test-secret",
+        }),
+      });
+
+      const result = await response.json();
+      expect(result).toEqual({
+        success: true,
+        data: { client_id: "test-id", client_secret: "test-secret" },
+      });
+    });
+
+    it("parses application/x-www-form-urlencoded content type", async () => {
+      expect.assertions(1);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      const body = new URLSearchParams();
+      body.set("client_id", "test-id");
+      body.set("client_secret", "test-secret");
+
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString(),
+      });
+
+      const result = await response.json();
+      expect(result).toEqual({
+        success: true,
+        data: { client_id: "test-id", client_secret: "test-secret" },
+      });
+    });
+
+    it("parses form data without Content-Type header", async () => {
+      expect.assertions(1);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      // Create a request without Content-Type header
+      // (simulating clients like Lobsters' Sponge)
+      const body =
+        "client_id=test-id&client_secret=test-secret&grant_type=authorization_code";
+      const request = new Request("http://localhost/test", {
+        method: "POST",
+        body,
+      });
+      // Remove the default Content-Type that might be set
+      request.headers.delete("Content-Type");
+
+      const response = await app.fetch(request);
+      const result = await response.json();
+
+      expect(result).toEqual({
+        success: true,
+        data: {
+          client_id: "test-id",
+          client_secret: "test-secret",
+          grant_type: "authorization_code",
+        },
+      });
+    });
+
+    it("parses form data with text/plain Content-Type", async () => {
+      expect.assertions(1);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      const body = "client_id=test-id&client_secret=test-secret";
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "text/plain" },
+        body,
+      });
+
+      const result = await response.json();
+      expect(result).toEqual({
+        success: true,
+        data: { client_id: "test-id", client_secret: "test-secret" },
+      });
+    });
+
+    it("parses form data with text/plain;charset=UTF-8 Content-Type", async () => {
+      expect.assertions(1);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      const body = "client_id=test-id&client_secret=test-secret";
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "text/plain;charset=UTF-8" },
+        body,
+      });
+
+      const result = await response.json();
+      expect(result).toEqual({
+        success: true,
+        data: { client_id: "test-id", client_secret: "test-secret" },
+      });
+    });
+
+    it("handles URL-encoded special characters correctly", async () => {
+      expect.assertions(1);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      // Test with URL-encoded values
+      const body = "client_id=test%2Bid&client_secret=secret%26value";
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "text/plain" },
+        body,
+      });
+
+      const result = await response.json();
+      expect(result).toEqual({
+        success: true,
+        data: { client_id: "test+id", client_secret: "secret&value" },
+      });
+    });
+
+    it("returns validation error for invalid data", async () => {
+      expect.assertions(2);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      const body = "invalid_field=value";
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "text/plain" },
+        body,
+      });
+
+      const result = await response.json();
+      expect(result.success).toBe(false);
+      expect(result.error).toBeDefined();
+    });
+
+    it("handles empty body gracefully", async () => {
+      expect.assertions(2);
+
+      const app = new Hono();
+      app.post("/test", async (c) => {
+        const result = await requestBody(c.req, schema);
+        return c.json(result);
+      });
+
+      const response = await app.request("/test", {
+        method: "POST",
+        headers: { "Content-Type": "text/plain" },
+        body: "",
+      });
+
+      const result = await response.json();
+      expect(result.success).toBe(false);
+      expect(result.error).toBeDefined();
+    });
+  });
+
   describe("base64Url", () => {
     it("returns a URL safe string", () => {
       expect.assertions(2);
diff --git a/src/helpers.ts b/src/helpers.ts
@@ -16,6 +16,26 @@ export async function requestBody<T extends z.ZodType = z.ZodTypeAny>(
     return await schema.safeParseAsync(json);
   }
 
+  // Some clients (like Lobsters' Sponge) don't set Content-Type header for
+  // POST requests with form data. In this case, Hono's parseBody() returns
+  // an empty object because it defaults to text/plain.
+  // We need to manually parse the body as URL-encoded form data.
+  if (
+    contentType === undefined ||
+    contentType === "text/plain" ||
+    contentType.startsWith("text/plain;")
+  ) {
+    const text = await req.text();
+    if (text?.includes("=")) {
+      const params = new URLSearchParams(text);
+      const parsed: Record<string, string> = {};
+      for (const [key, value] of params) {
+        parsed[key] = value;
+      }
+      return await schema.safeParseAsync(parsed);
+    }
+  }
+
   const formData = await req.parseBody();
   return await schema.safeParseAsync(formData);
 }
