Safebrowsing API returns 'Invalid JSON payload received'

Question

I'm using Safe browsing API to check some URLs from my database, but the request gives me this result:

data {
  "error": {
    "code": 400,
    "message": "Invalid JSON payload received. Unknown name \"threatInfo[threatTypes][0]\": Cannot bind query parameter. Field 'threatInfo[threatTypes][0]' could not be found in request message.\nInvalid JSON payload received. Unknown name \"threatInfo[threatTypes][1]\": Cannot bind query parameter. Field 'threatInfo[threatTypes][1]' could not be found in request message.\nInvalid JSON payload received. Unknown name \"threatInfo[platformTypes][0]\": Cannot bind query parameter. Field 'threatInfo[platformTypes][0]' could not be found in request message.\nInvalid JSON payload received. Unknown name \"threatInfo[threatEntryTypes][0]\": Cannot bind query parameter. Field 'threatInfo[threatEntryTypes][0]' could not be found in request message.\nInvalid JSON payload received. Unknown name \"threatInfo[threatEntries][0][url]\": Cannot bind query parameter. Field 'threatInfo[threatEntries][0][url]' could not be found in request message."
  }
} 

I'm trying the following code:

const request = require('request');
    const body = {
      threatInfo: {
        threatTypes: ["SOCIAL_ENGINEERING", "MALWARE"],
        platformTypes: ["ANY_PLATFORM"],
        threatEntryTypes: ["URL"],
        threatEntries: [{url: "http://www.urltocheck2.org/"}]
      }
    }

    const options = {
      headers: {
        "Content-Type": "application/json"
      },
      method: "POST",
      url: "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${API_KEY}",
      form: body
    }

    console.log(options);
    request(options,
        function(err, res, data) {
            console.log('data', data)
            if (!err && res.statusCode == 200) {
              console.log(data);
            }
        }
    )

I expected the output of the request be {} with a 200 status code on this sample.

Answer 1

If you look in the request() doc for the form property, you will see this:

form - when passed an object or a querystring, this sets body to a querystring representation of value, and adds Content-type: application/x-www-form-urlencoded header. When passed no options, a FormData instance is returned (and is piped to request). See "Forms" section above.

When you look at the Google safe browsing API, you will see this:

POST https://safebrowsing.googleapis.com/v4/threatMatches:find?key=API_KEY HTTP/1.1 Content-Type: application/json

You are sending Content-type: application/x-www-form-urlencoded, but the API wants Content-Type: application/json. You need to send JSON, not form encoded data.

You can probably just change the form property to the json property by changing from this:

const options = {
  headers: {
    "Content-Type": "application/json"
  },
  method: "POST",
  url: "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${API_KEY}",
  form: body
}

to this:

const options = {
  method: "POST",
  url: "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${API_KEY}",
  json: body     // <=== change here
}

The content-type is automatically set either way to match the format of the generated body so you don't need to set it.