From e8a10356ddf104e70a881706bd967c91dc698cbf Mon Sep 17 00:00:00 2001
From: Raymond Penners <raymond.penners@intenct.nl>
Date: Wed, 25 Oct 2023 20:55:18 +0200
Subject: [PATCH] fix(account/middleware): Check content type vs. dangling
 login

---
 allauth/account/middleware.py            |  5 +++++
 allauth/account/tests/test_middleware.py | 23 ++++++++++++++---------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/allauth/account/middleware.py b/allauth/account/middleware.py
index e8f7ed59d1..250b41cc09 100644
--- a/allauth/account/middleware.py
+++ b/allauth/account/middleware.py
@@ -20,6 +20,11 @@ def process_exception(self, request, exception):
             return exception.response
 
     def _remove_dangling_login(self, request, response):
+        content_type = response.headers.get("content-type")
+        if content_type:
+            content_type = content_type.partition(";")[0]
+        if content_type and content_type != "text/html":
+            return
         if request.path.startswith(settings.STATIC_URL) or request.path in [
             "/favicon.ico",
             "/robots.txt",
diff --git a/allauth/account/tests/test_middleware.py b/allauth/account/tests/test_middleware.py
index e50c1866c8..92964837ab 100644
--- a/allauth/account/tests/test_middleware.py
+++ b/allauth/account/tests/test_middleware.py
@@ -7,19 +7,24 @@
 
 
 @pytest.mark.parametrize(
-    "path,status_code,login_removed",
+    "path,status_code,content_type,login_removed",
     [
-        ("/", 200, True),
-        ("/", 404, False),
-        (settings.STATIC_URL, 200, False),
-        ("/favicon.ico", 200, False),
-        ("/robots.txt", 200, False),
-        ("/humans.txt", 200, False),
+        ("/", 200, "text/html", True),
+        ("/", 200, "text/html; charset=utf8", True),
+        ("/", 200, "text/txt", False),
+        ("/", 404, "text/html", False),
+        (settings.STATIC_URL, 200, "text/html", False),
+        ("/favicon.ico", 200, "image/x-icon", False),
+        ("/robots.txt", 200, "text/plain", False),
+        ("/robots.txt", 200, "text/html", False),
+        ("/humans.txt", 200, "text/plain", False),
     ],
 )
-def test_remove_dangling_login(rf, path, status_code, login_removed):
+def test_remove_dangling_login(rf, path, status_code, login_removed, content_type):
     request = rf.get(path)
     request.session = {"account_login": True}
-    mw = AccountMiddleware(lambda request: HttpResponse(status=status_code))
+    response = HttpResponse(status=status_code)
+    response["Content-Type"] = content_type
+    mw = AccountMiddleware(lambda request: response)
     mw(request)
     assert ("account_login" in request.session) is (not login_removed)