pub async fn normalize_problem_response(resp: Response) -> ResponseExpand description
FUZZ-WAVE-1 MED-1 / MED-2: response-mapping middleware that
guarantees every 4xx leaving the server carries
Content-Type: application/problem+json (RFC 9457 §3).
axum’s built-in extractors (Json, Path, Query,
DefaultBodyLimit) reject malformed input by returning a bare
text/plain body with the error string. The application-level
AppError path is already problem+json; this layer brings axum’s
built-in rejections — plus the 404/405 fallbacks below — into the
same wire shape.
Strategy: inspect the outgoing response. If status is 4xx and
the existing Content-Type is not application/problem+json,
drain the body, pick a kind from the status, and re-emit. Headers
other than Content-Type/Content-Length are preserved verbatim — this
matters for 405 where axum already set Allow:.
2xx, 3xx, and 5xx responses pass through unchanged. The Critical finding in the wave-1 report (5xx leak) is out of scope for this fix; this middleware only normalises 4xx content-type.