Replace Content-Type with Accept on bodyless GET proxy routes

[vishsanghishetty]

Closes #1002

What changed

The root cause is buildForwardHeaders in lib/auth.ts — it unconditionally sets Content-Type: application/json on every outbound request, even GET proxies with no body. Changed it to default to Accept: application/json instead, which fixes all ~40 GET routes that use the helper in one shot.

On top of that, replaced the literal Content-Type with Accept on the 5 routes called out in the issue (version, cluster-info, settings GET, workflows/ootb, feature-flags).

Since POST/PUT routes that send a body still need Content-Type, added it explicitly to the 14 routes that were relying on the helper for it (projects, permissions, keys, auth connect routes, agentic-sessions, workflow, repos, configure-remote, feature-flag override, forks). Routes that already had explicit Content-Type (scheduled-sessions, runner-secrets, integration-secrets, agui, mcp/invoke, workspace paths) were unaffected.

Scope

Category	Count	Action
buildForwardHeaders helper	1 file	Content-Type → Accept
GET routes with literal Content-Type	5 files	replaced with Accept
POST/PUT routes with body (relied on helper)	14 files	added explicit Content-Type
POST/PUT routes with explicit Content-Type already	~10 files	no change needed
Bodyless POST/DELETE routes	~8 files	no change needed

Full audit of all 94 route files under src/app/api/ — nothing missed.

How I tested

Static analysis — tsc --noEmit, eslint on all 20 changed files, vitest run (631 passed, 0 failures).

Live testing against the Kind cluster — ran the frontend locally (Next.js dev server on port 3000) with the backend port-forwarded from the ambient-main Kind cluster, then curled every modified route type through the proxy layer:

Route	Method	Result
/api/version	GET	200 — returned version JSON
/api/cluster-info	GET	200 — returned cluster info
/api/workflows/ootb	GET	200 — returned workflows list
/api/projects	GET	200 — returned projects
/api/projects	POST	400 on invalid name (body parsed correctly), 201 on valid name

The POST test confirms Content-Type: application/json is still being sent on mutation routes — the backend parsed the JSON body and returned a meaningful validation error, not a "can't parse request" error.

Summary by CodeRabbit

• Bug Fixes
  • Standardized proxied API headers: write operations (POST/PUT) now include an explicit Content-Type: application/json; read operations (GET) now use Accept: application/json to request JSON responses.
  • No other request/response behavior, status handling, or public API signatures were changed.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a71d2a9e-c454-4860-9a54-57f1a154fc56

📥 Commits

Reviewing files that changed from the base of the PR and between 57325a7 and 1e49f42.

📒 Files selected for processing (20)

• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts
• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/lib/auth.ts

✅ Files skipped from review due to trivial changes (7)

• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts

🚧 Files skipped from review as they are similar to previous changes (13)

• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/lib/auth.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts

---

📝 Walkthrough

Walkthrough

Replaced incorrect outbound Content-Type: application/json with Accept: application/json for bodyless GET proxy fetches; POST/PUT proxy handlers now merge forwarded headers and explicitly set Content-Type: application/json. The default in buildForwardHeaders was changed from Content-Type to Accept.

Changes

Cohort / File(s)	Summary
Header Utility components/frontend/src/lib/auth.ts	Default forwarded header changed from Content-Type: application/json to Accept: application/json.
Bodyless GET Proxy Routes components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/feature-flags/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts, components/frontend/src/app/api/projects/[name]/settings/route.ts	Replaced outgoing Content-Type: application/json with Accept: application/json for GET requests that have no body.
POST/PUT Proxy Handlers (force Content-Type) components/frontend/src/app/api/auth/.../route.ts, components/frontend/src/app/api/projects/.../route.ts, components/frontend/src/app/api/projects/[name]/keys/route.ts, components/frontend/src/app/api/projects/[name]/permissions/route.ts, components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts, components/frontend/src/app/api/projects/[name]/users/forks/route.ts	POST/PUT handlers now merge forwarded headers and explicitly add/override 'Content-Type': 'application/json' when proxying requests with bodies. (Multiple files under auth and projects paths updated.)
Agentic Sessions (project-scoped POSTs) components/frontend/src/app/api/projects/[name]/agentic-sessions/..., components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts	POST handlers for agentic-sessions now copy forwarded headers and explicitly set 'Content-Type': 'application/json' for backend fetches.
Misc / Audit Alignment components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts	Reaffirmed use of Accept: application/json for bodyless GET proxy fetches to align with audit/issue #1002.

🚥 Pre-merge checks | ✅ 6 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title does not follow Conventional Commits format (type(scope): description); missing type prefix like 'fix' or 'refactor'.	Reformat title to 'fix: replace Content-Type with Accept on bodyless GET proxy routes' or similar Conventional Commits style.
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	PR successfully addresses all #1002 requirements: replaced Content-Type with Accept on five specified GET routes, added explicit Content-Type to 14 POST/PUT routes, audited all 94 API routes, and verified no remaining GET routes set Content-Type without body.
Out of Scope Changes check	✅ Passed	All 23 file changes are in-scope: 5 GET routes replaced Content-Type→Accept, 14 POST/PUT routes added explicit Content-Type, and 4 GET routes replaced Content-Type→Accept in helper/other handlers. No unrelated changes detected.
Performance And Algorithmic Complexity	✅ Passed	PR introduces header-level modifications only with no performance impact. Underlying functions remain O(1) with fixed lookups, conditional assignments, and optional async exec with 2000ms timeout guard.
Security And Secret Handling	✅ Passed	PR introduces no security vulnerabilities. All auth headers preserved via spread operators, no hardcoded credentials, generic error responses, proper input encoding, no injection vectors.
Kubernetes Resource Safety	✅ Passed	PR contains only TypeScript changes to Next.js API routes and auth helpers; no Kubernetes manifests or resource definitions present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeremyeder]

@ambient-code

[vishsanghishetty]

@ambient-code

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	1e49f42
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69e1158bf16c6b000851529c

[vishsanghishetty]

@jeremyeder could you take a look when you get a chance?