Add test to verify JSON body dumping still works for non-multipart requests

Co-authored-by: kevwan <1918356+kevwan@users.noreply.github.com>

rest/handler/authhandler.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net/http"
 	"net/http/httputil"
+	"strings"
 
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/zeromicro/go-zero/core/logc"
@@ -99,10 +100,17 @@ func WithUnauthorizedCallback(callback UnauthorizedCallback) AuthorizeOption {
 
 func detailAuthLog(r *http.Request, reason string) {
 	// discard dump error, only for debug purpose
-	details, _ := httputil.DumpRequest(r, true)
+	// Skip dumping request body for multipart/form-data to avoid reading large files
+	dumpBody := !isMultipartFormData(r)
+	details, _ := httputil.DumpRequest(r, dumpBody)
 	logc.Errorf(r.Context(), "authorize failed: %s\n=> %+v", reason, string(details))
 }
 
+func isMultipartFormData(r *http.Request) bool {
+	contentType := r.Header.Get("Content-Type")
+	return strings.Contains(contentType, "multipart/form-data")
+}
+
 func unauthorized(w http.ResponseWriter, r *http.Request, err error, callback UnauthorizedCallback) {
 	writer := response.NewHeaderOnceResponseWriter(w)
 

rest/handler/authhandler_test.go

@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
@@ -90,6 +91,128 @@ func TestAuthHandler_NilError(t *testing.T) {
 	})
 }
 
+func TestAuthHandlerWithJSONBody(t *testing.T) {
+	const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
+	
+	// Create a request with JSON body
+	jsonBody := `{"username":"test","password":"secret"}`
+	req := httptest.NewRequest(http.MethodPost, "http://localhost/login", 
+		strings.NewReader(jsonBody))
+	req.Header.Set("Content-Type", "application/json")
+	// Missing authorization header to trigger the unauthorized path
+	
+	handler := Authorize(key)(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+	
+	resp := httptest.NewRecorder()
+	handler.ServeHTTP(resp, req)
+	
+	// Should return unauthorized
+	assert.Equal(t, http.StatusUnauthorized, resp.Code)
+}
+
+func TestAuthHandlerWithMultipartFormData(t *testing.T) {
+	const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
+	
+	// Create a multipart form-data request
+	// We don't need actual body content since we're testing that
+	// the body is NOT read when Content-Type is multipart/form-data
+	req := httptest.NewRequest(http.MethodPost, "http://localhost/upload", 
+		http.NoBody)
+	req.Header.Set("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary")
+	// Missing authorization header to trigger the unauthorized path
+	
+	handler := Authorize(key)(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+	
+	resp := httptest.NewRecorder()
+	handler.ServeHTTP(resp, req)
+	
+	// Should return unauthorized
+	assert.Equal(t, http.StatusUnauthorized, resp.Code)
+}
+
+func TestAuthHandlerWithMultipartFormDataLargeFile(t *testing.T) {
+	const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
+	
+	// Create a multipart form-data request with a simulated large file
+	// This tests that the body is NOT consumed when Content-Type is multipart/form-data
+	largeContent := make([]byte, 1024*1024) // 1MB of data
+	for i := range largeContent {
+		largeContent[i] = byte(i % 256)
+	}
+	
+	req := httptest.NewRequest(http.MethodPost, "http://localhost/upload", 
+		http.NoBody)
+	req.Header.Set("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary")
+	req.Header.Set("Content-Length", "1048576")
+	// Missing authorization header to trigger the unauthorized path
+	
+	handler := Authorize(key)(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+	
+	resp := httptest.NewRecorder()
+	
+	// This should complete quickly without reading the body
+	start := time.Now()
+	handler.ServeHTTP(resp, req)
+	elapsed := time.Since(start)
+	
+	// Should return unauthorized
+	assert.Equal(t, http.StatusUnauthorized, resp.Code)
+	// Should complete in less than 100ms (without reading 1MB of data)
+	assert.Less(t, elapsed, 100*time.Millisecond)
+}
+
+func TestIsMultipartFormData(t *testing.T) {
+	tests := []struct {
+		name        string
+		contentType string
+		expected    bool
+	}{
+		{
+			name:        "multipart/form-data",
+			contentType: "multipart/form-data",
+			expected:    true,
+		},
+		{
+			name:        "multipart/form-data with boundary",
+			contentType: "multipart/form-data; boundary=----WebKitFormBoundary",
+			expected:    true,
+		},
+		{
+			name:        "application/json",
+			contentType: "application/json",
+			expected:    false,
+		},
+		{
+			name:        "application/x-www-form-urlencoded",
+			contentType: "application/x-www-form-urlencoded",
+			expected:    false,
+		},
+		{
+			name:        "empty content type",
+			contentType: "",
+			expected:    false,
+		},
+	}
+	
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodPost, "http://localhost", http.NoBody)
+			req.Header.Set("Content-Type", tt.contentType)
+			result := isMultipartFormData(req)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
 func buildToken(secretKey string, payloads map[string]any, seconds int64) (string, error) {
 	now := time.Now().Unix()
 	claims := make(jwt.MapClaims)