Duplicate HTTP Content-Type header

[silverwind]

Describe the bug
It seems Athen's HTTP server delivers duplicate HTTP Content-Type headers. It's not breaking anything as far as I can tell but my reverse proxy log is full of warnings regarding it.

$ curl -v http://athens/sumdb/sum.golang.org/lookup/modernc.org/token@v1.0.1 |& grep -i content-Type:
< Content-Type: application/json
< Content-Type: text/plain; charset=UTF-8
$ curl -v http://sum.golang.org/lookup/modernc.org/token@v1.0.1 |& grep -i content-Type:
< Content-Type: text/plain; charset=UTF-8

To Reproduce
Run above curl against athens

Expected behavior
A single Content-Type header.

Environment (please complete the following information):

• OS: Ubuntu 22.04 in a Docker container running gomods/athens
• Go version : go1.20.12 linux/amd64
• Proxy version : v0.13.1
• Storage (fs/mongodb/s3 etc.) : fs

Additional context
Potentialyl relevant config option:ATHENS_GO_BINARY_ENV_VARS=GOPROXY=proxy.golang.org,direct
Header seems to be coming from here:

athens/pkg/middleware/content_type.go

Line 11 in b72f01b

w.Header().Set("Content-Type", "application/json")

[matt0x6F]

@silverwind thanks for this report! You're certainly correct, from my own testing:

❯ curl -v http://localhost:3000/sumdb/sum.golang.org/lookup/github.com/matt0x6f/athens-test-repo@v1.0.0
*   Trying 127.0.0.1:3000...
* Connected to localhost (127.0.0.1) port 3000 (#0)
> GET /sumdb/sum.golang.org/lookup/github.com/matt0x6f/athens-test-repo@v1.0.0 HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: *
< Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< Cache-Control: public, max-age=10800
< Content-Length: 389
< Content-Type: application/json
< Content-Type: text/plain; charset=UTF-8
< Date: Sat, 20 Apr 2024 20:36:19 GMT
< Expires: Sat, 20 Apr 2024 23:36:19 GMT
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 0
<
25262111
github.com/matt0x6f/athens-test-repo v1.0.0 h1:QyR4h2t/LX1F5R9ipGD0Xy40Ti7wXWQtmZGb/ULfX4U=
github.com/matt0x6f/athens-test-repo v1.0.0/go.mod h1:AK0IEu9FDueopVcCOW9cuKpAZUymWO769GslenSoEzQ=

go.sum database tree
25262112
1b0R/OSEiS4qRbdIMMtwN5QYmZxF3iqm7EZH8tbW9tA=

— sum.golang.org Az3grpeXwxag6q4C0kcawxOzfBvPSRUgSqH9tlzRbxa0b0nspSJV2kU5ev7ilLmZ5D4J35yTt8uOTIvHOJ0DJUGf/gM=
* Connection #0 to host localhost left intact

I can't actually see where the ContentType() handler helper func is being applied in this case (at least on the sumdb route) so I'll dig a little further into what's making it set to JSON.

[matt0x6F]

Okay, so this issue is worse than originally described!

❯ curl -v http://localhost:3000/github.com/matt0x6f/athens-test-repo/@v/v1.0.0.mod
*   Trying 127.0.0.1:3000...
* Connected to localhost (127.0.0.1) port 3000 (#0)
> GET /github.com/matt0x6f/athens-test-repo/@v/v1.0.0.mod HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Sat, 20 Apr 2024 20:47:00 GMT
< Content-Length: 53
<
module github.com/matt0x6f/athens-test-repo

go 1.22
* Connection #0 to host localhost left intact

Us setting application/json at the router level is probably causing these problems: https://github.com/gomods/athens/blob/main/cmd/proxy/actions/app.go#L55

We can two one of two things:

• Expect each endpoint to set its own Content-Type
• Widely apply application/json and then make sure each endpoint removes that header when overriding it.

We should probably do an audit of all of our routes for content type to fully fix this issue. @nrwiersma any thoughts on how to best tackle this?