fix: validate content type and protocol version in REST routes

- Removing consumes from route annotations and adding explicit ContentTypeNotSupportedError validation in sendMessage/sendMessageStreaming
- Moving VersionNotSupportedError HTTP status from 501 -> 400
- Adding unit and integration tests for both scenarios

fix: HTTP+JSON error mapping is incorrect for ContentTypeNotSupportedError & VersionNotSupportedError

Signed-off-by: Emmanuel Hugonnet <ehugonne@redhat.com>

Author: ehsavoie

reference/rest/src/main/java/io/a2a/server/rest/quarkus/A2AServerRoutes.java

@@ -31,6 +31,7 @@
 import io.a2a.server.extensions.A2AExtensions;
 import io.a2a.server.util.async.Internal;
 import io.a2a.spec.A2AError;
+import io.a2a.spec.ContentTypeNotSupportedError;
 import io.a2a.spec.InternalError;
 import io.a2a.spec.InvalidParamsError;
 import io.a2a.spec.MethodNotFoundError;
@@ -165,8 +166,13 @@ public class A2AServerRoutes {
      * @param body the JSON request body
      * @param rc the Vert.x routing context
      */
-    @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)message:send$", order = 1, methods = {Route.HttpMethod.POST}, consumes = {APPLICATION_JSON}, type = Route.HandlerType.BLOCKING)
+    @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)message:send$", order = 1, methods = {Route.HttpMethod.POST}, type = Route.HandlerType.BLOCKING)
     public void sendMessage(@Body String body, RoutingContext rc) {
+        String contentType = rc.request().getHeader(CONTENT_TYPE);
+        if (contentType == null || !contentType.contains(APPLICATION_JSON)) {
+            sendResponse(rc, jsonRestHandler.createErrorResponse(new ContentTypeNotSupportedError(null, null, null)));
+            return;
+        }
         ServerCallContext context = createCallContext(rc, SEND_MESSAGE_METHOD);
         HTTPRestResponse response = null;
         try {
@@ -198,8 +204,13 @@ public void sendMessage(@Body String body, RoutingContext rc) {
      * @param body the JSON request body
      * @param rc the Vert.x routing context
      */
-    @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)message:stream$", order = 1, methods = {Route.HttpMethod.POST}, consumes = {APPLICATION_JSON}, type = Route.HandlerType.BLOCKING)
+    @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)message:stream$", order = 1, methods = {Route.HttpMethod.POST}, type = Route.HandlerType.BLOCKING)
     public void sendMessageStreaming(@Body String body, RoutingContext rc) {
+        String contentType = rc.request().getHeader(CONTENT_TYPE);
+        if (contentType == null || !contentType.contains(APPLICATION_JSON)) {
+            sendResponse(rc, jsonRestHandler.createErrorResponse(new ContentTypeNotSupportedError(null, null, null)));
+            return;
+        }
         ServerCallContext context = createCallContext(rc, SEND_STREAMING_MESSAGE_METHOD);
         HTTPRestStreamingResponse streamingResponse = null;
         HTTPRestResponse error = null;
@@ -339,6 +350,11 @@ public void getTask(RoutingContext rc) {
      */
     @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)tasks\\/(?<taskId>[^/]+):cancel$", order = 1, methods = {Route.HttpMethod.POST}, type = Route.HandlerType.BLOCKING)
     public void cancelTask(@Body String body, RoutingContext rc) {
+        String contentType = rc.request().getHeader(CONTENT_TYPE);
+        if (contentType == null || !contentType.contains(APPLICATION_JSON)) {
+            sendResponse(rc, jsonRestHandler.createErrorResponse(new ContentTypeNotSupportedError(null, null, null)));
+            return;
+        }
         String taskId = rc.pathParam("taskId");
         ServerCallContext context = createCallContext(rc, CANCEL_TASK_METHOD);
         HTTPRestResponse response = null;
@@ -443,8 +459,13 @@ public void subscribeToTask(RoutingContext rc) {
      * @param body the JSON request body with notification configuration
      * @param rc the Vert.x routing context (taskId extracted from path)
      */
-    @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)tasks\\/(?<taskId>[^/]+)\\/pushNotificationConfigs$", order = 1, methods = {Route.HttpMethod.POST}, consumes = {APPLICATION_JSON}, type = Route.HandlerType.BLOCKING)
+    @Route(regex = "^\\/(?<tenant>[^\\/]*\\/?)tasks\\/(?<taskId>[^/]+)\\/pushNotificationConfigs$", order = 1, methods = {Route.HttpMethod.POST}, type = Route.HandlerType.BLOCKING)
     public void CreateTaskPushNotificationConfiguration(@Body String body, RoutingContext rc) {
+        String contentType = rc.request().getHeader(CONTENT_TYPE);
+        if (contentType == null || !contentType.contains(APPLICATION_JSON)) {
+            sendResponse(rc, jsonRestHandler.createErrorResponse(new ContentTypeNotSupportedError(null, null, null)));
+            return;
+        }
         String taskId = rc.pathParam("taskId");
         ServerCallContext context = createCallContext(rc, SET_TASK_PUSH_NOTIFICATION_CONFIG_METHOD);
         HTTPRestResponse response = null;

reference/rest/src/test/java/io/a2a/server/rest/quarkus/A2AServerRoutesTest.java

@@ -18,6 +18,7 @@
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -26,6 +27,8 @@
 import jakarta.enterprise.inject.Instance;
 
 import io.a2a.server.ServerCallContext;
+import io.a2a.spec.ContentTypeNotSupportedError;
+import io.a2a.spec.VersionNotSupportedError;
 import io.a2a.transport.rest.handler.RestHandler;
 import io.a2a.transport.rest.handler.RestHandler.HTTPRestResponse;
 import io.vertx.core.Future;
@@ -80,6 +83,7 @@ public void setUp() {
         when(mockRoutingContext.user()).thenReturn(null);
         when(mockRequest.headers()).thenReturn(mockHeaders);
         when(mockRequest.params()).thenReturn(mockParams);
+        when(mockRequest.getHeader(any(CharSequence.class))).thenReturn("application/json");
         when(mockRoutingContext.body()).thenReturn(mockRequestBody);
         when(mockRequestBody.asString()).thenReturn("{}");
         when(mockResponse.setStatusCode(any(Integer.class))).thenReturn(mockResponse);
@@ -438,6 +442,61 @@ public void testDeleteTaskPushNotificationConfiguration_MethodNameSetInContext()
         assertEquals(DELETE_TASK_PUSH_NOTIFICATION_CONFIG_METHOD, capturedContext.getState().get(METHOD_NAME_KEY));
     }
 
+    @Test
+    public void testSendMessage_UnsupportedContentType_ReturnsContentTypeNotSupportedError() {
+        // Arrange
+        HTTPRestResponse mockErrorResponse = mock(HTTPRestResponse.class);
+        when(mockErrorResponse.getStatusCode()).thenReturn(415);
+        when(mockErrorResponse.getContentType()).thenReturn("application/problem+json");
+        when(mockErrorResponse.getBody()).thenReturn("{\"type\":\"https://a2a-protocol.org/errors/content-type-not-supported\"}");
+        when(mockRestHandler.createErrorResponse(any(ContentTypeNotSupportedError.class))).thenReturn(mockErrorResponse);
+        when(mockRequest.getHeader(any(CharSequence.class))).thenReturn("text/plain");
+
+        // Act
+        routes.sendMessage("{}", mockRoutingContext);
+
+        // Assert: createErrorResponse called with ContentTypeNotSupportedError, sendMessage NOT called
+        verify(mockRestHandler).createErrorResponse(any(ContentTypeNotSupportedError.class));
+        verify(mockRestHandler, never()).sendMessage(any(ServerCallContext.class), anyString(), anyString());
+    }
+
+    @Test
+    public void testSendMessageStreaming_UnsupportedContentType_ReturnsContentTypeNotSupportedError() {
+        // Arrange
+        HTTPRestResponse mockErrorResponse = mock(HTTPRestResponse.class);
+        when(mockErrorResponse.getStatusCode()).thenReturn(415);
+        when(mockErrorResponse.getContentType()).thenReturn("application/problem+json");
+        when(mockErrorResponse.getBody()).thenReturn("{\"type\":\"https://a2a-protocol.org/errors/content-type-not-supported\"}");
+        when(mockRestHandler.createErrorResponse(any(ContentTypeNotSupportedError.class))).thenReturn(mockErrorResponse);
+        when(mockRequest.getHeader(any(CharSequence.class))).thenReturn("text/plain");
+
+        // Act
+        routes.sendMessageStreaming("{}", mockRoutingContext);
+
+        // Assert: createErrorResponse called with ContentTypeNotSupportedError, sendStreamingMessage NOT called
+        verify(mockRestHandler).createErrorResponse(any(ContentTypeNotSupportedError.class));
+        verify(mockRestHandler, never()).sendStreamingMessage(any(ServerCallContext.class), anyString(), anyString());
+    }
+
+    @Test
+    public void testSendMessage_UnsupportedProtocolVersion_ReturnsVersionNotSupportedError() {
+        // Arrange: content type is OK, but RestHandler returns a VersionNotSupportedError response
+        HTTPRestResponse mockErrorResponse = mock(HTTPRestResponse.class);
+        when(mockErrorResponse.getStatusCode()).thenReturn(400);
+        when(mockErrorResponse.getContentType()).thenReturn("application/problem+json");
+        when(mockErrorResponse.getBody()).thenReturn("{\"type\":\"https://a2a-protocol.org/errors/version-not-supported\"}");
+        when(mockRequest.getHeader(any(CharSequence.class))).thenReturn("application/json");
+        when(mockRestHandler.sendMessage(any(ServerCallContext.class), anyString(), anyString()))
+                .thenReturn(mockErrorResponse);
+
+        // Act
+        routes.sendMessage("{}", mockRoutingContext);
+
+        // Assert: sendMessage was called and error response forwarded
+        verify(mockRestHandler).sendMessage(any(ServerCallContext.class), anyString(), eq("{}"));
+        verify(mockResponse).setStatusCode(400);
+    }
+
     /**
      * Helper method to set a field via reflection for testing purposes.
      */

reference/rest/src/test/java/io/a2a/server/rest/quarkus/QuarkusA2ARestTest.java

@@ -30,6 +30,39 @@ protected String getTransportUrl() {
     @Override
     protected abstract void configureTransport(ClientBuilder builder);
 
+    @Test
+    public void testSendMessageWithUnsupportedContentType() throws Exception {
+        HttpClient client = HttpClient.newBuilder()
+                .version(HttpClient.Version.HTTP_2)
+                .build();
+        HttpRequest request = HttpRequest.newBuilder()
+                .uri(URI.create("http://localhost:" + serverPort + "/message:send"))
+                .POST(HttpRequest.BodyPublishers.ofString("test body"))
+                .header("Content-Type", "text/plain")
+                .build();
+        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+        Assertions.assertEquals(415, response.statusCode());
+        Assertions.assertTrue(response.body().contains("content-type-not-supported"),
+                "Expected content-type-not-supported in response body: " + response.body());
+    }
+
+    @Test
+    public void testSendMessageWithUnsupportedProtocolVersion() throws Exception {
+        HttpClient client = HttpClient.newBuilder()
+                .version(HttpClient.Version.HTTP_2)
+                .build();
+        HttpRequest request = HttpRequest.newBuilder()
+                .uri(URI.create("http://localhost:" + serverPort + "/message:send"))
+                .POST(HttpRequest.BodyPublishers.ofString("{}"))
+                .header("Content-Type", APPLICATION_JSON)
+                .header("A2A-Version", "0.4.0")
+                .build();
+        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+        Assertions.assertEquals(400, response.statusCode());
+        Assertions.assertTrue(response.body().contains("version-not-supported"),
+                "Expected version-not-supported in response body: " + response.body());
+    }
+
     @Test
     public void testMethodNotFound() throws Exception {
         // Create the client

transport/rest/src/main/java/io/a2a/transport/rest/handler/RestHandler.java

@@ -770,8 +770,7 @@ private static int mapErrorToHttpStatus(A2AError error) {
             return 409;
         }
         if (error instanceof PushNotificationNotSupportedError
-                || error instanceof UnsupportedOperationError
-                || error instanceof VersionNotSupportedError) {
+                || error instanceof UnsupportedOperationError) {
             return 501;
         }
         if (error instanceof ContentTypeNotSupportedError) {
@@ -781,7 +780,8 @@ private static int mapErrorToHttpStatus(A2AError error) {
             return 502;
         }
         if (error instanceof ExtendedAgentCardNotConfiguredError
-                || error instanceof ExtensionSupportRequiredError) {
+                || error instanceof ExtensionSupportRequiredError
+                || error instanceof VersionNotSupportedError) {
             return 400;
         }
         if (error instanceof InternalError) {

transport/rest/src/test/java/io/a2a/transport/rest/handler/RestHandlerTest.java

@@ -777,7 +777,7 @@ public void testVersionNotSupportedErrorOnSendMessage() {
 
         RestHandler.HTTPRestResponse response = handler.sendMessage(contextWithVersion, "", requestBody);
 
-        assertProblemDetail(response, 501,
+        assertProblemDetail(response, 400,
                 "https://a2a-protocol.org/errors/version-not-supported",
                 "Protocol version '2.0' is not supported. Supported versions: [1.0]");
     }