fix(account/middleware): Check content type vs. dangling login

allauth/account/middleware.py

@@ -20,6 +20,11 @@ def process_exception(self, request, exception):
             return exception.response
 
     def _remove_dangling_login(self, request, response):
+        content_type = response.headers.get("content-type")
+        if content_type:
+            content_type = content_type.partition(";")[0]
+        if content_type and content_type != "text/html":
+            return
         if request.path.startswith(settings.STATIC_URL) or request.path in [
             "/favicon.ico",
             "/robots.txt",

allauth/account/tests/test_middleware.py

@@ -7,19 +7,24 @@
 
 
 @pytest.mark.parametrize(
-    "path,status_code,login_removed",
+    "path,status_code,content_type,login_removed",
     [
-        ("/", 200, True),
-        ("/", 404, False),
-        (settings.STATIC_URL, 200, False),
-        ("/favicon.ico", 200, False),
-        ("/robots.txt", 200, False),
-        ("/humans.txt", 200, False),
+        ("/", 200, "text/html", True),
+        ("/", 200, "text/html; charset=utf8", True),
+        ("/", 200, "text/txt", False),
+        ("/", 404, "text/html", False),
+        (settings.STATIC_URL, 200, "text/html", False),
+        ("/favicon.ico", 200, "image/x-icon", False),
+        ("/robots.txt", 200, "text/plain", False),
+        ("/robots.txt", 200, "text/html", False),
+        ("/humans.txt", 200, "text/plain", False),
     ],
 )
-def test_remove_dangling_login(rf, path, status_code, login_removed):
+def test_remove_dangling_login(rf, path, status_code, login_removed, content_type):
     request = rf.get(path)
     request.session = {"account_login": True}
-    mw = AccountMiddleware(lambda request: HttpResponse(status=status_code))
+    response = HttpResponse(status=status_code)
+    response["Content-Type"] = content_type
+    mw = AccountMiddleware(lambda request: response)
     mw(request)
     assert ("account_login" in request.session) is (not login_removed)