Browsers set a real image Content-Type (image/png, image/jpeg, ...) on the multipart avatar part, while programmatic clients often send application/octet-stream. The part contentType tag is an allow-list for Huma's MimeTypeValidator, which runs before the handler; broaden it so both cases are accepted instead of being rejected with a 422. The byte-level mimetype.DetectReader check in the handler remains the real security gate and is unchanged. Extend the webtest with a case that sends a part declared as image/png and asserts it reaches the handler successfully. |
||
|---|---|---|
| .. | ||
| v1 | ||
| v2 | ||