Replace Content-Type with Accept on bodyless GET proxy routes

[vishsanghishetty]

Closes #1002

What changed

The root cause is buildForwardHeaders in lib/auth.ts — it unconditionally sets Content-Type: application/json on every outbound request, even GET proxies with no body. Changed it to default to Accept: application/json instead, which fixes all ~40 GET routes that use the helper in one shot.

On top of that, replaced the literal Content-Type with Accept on the 5 routes called out in the issue (version, cluster-info, settings GET, workflows/ootb, feature-flags).

Since POST/PUT routes that send a body still need Content-Type, added it explicitly to the 14 routes that were relying on the helper for it (projects, permissions, keys, auth connect routes, agentic-sessions, workflow, repos, configure-remote, feature-flag override, forks). Routes that already had explicit Content-Type (scheduled-sessions, runner-secrets, integration-secrets, agui, mcp/invoke, workspace paths) were unaffected.

Scope

Category	Count	Action
buildForwardHeaders helper	1 file	Content-Type → Accept
GET routes with literal Content-Type	5 files	replaced with Accept
POST/PUT routes with body (relied on helper)	14 files	added explicit Content-Type
POST/PUT routes with explicit Content-Type already	~10 files	no change needed
Bodyless POST/DELETE routes	~8 files	no change needed

Full audit of all 94 route files under src/app/api/ — nothing missed.

How I tested

Static analysis — tsc --noEmit, eslint on all 20 changed files, vitest run (631 passed, 0 failures).

Live testing against the Kind cluster — ran the frontend locally (Next.js dev server on port 3000) with the backend port-forwarded from the ambient-main Kind cluster, then curled every modified route type through the proxy layer:

Route	Method	Result
/api/version	GET	200 — returned version JSON
/api/cluster-info	GET	200 — returned cluster info
/api/workflows/ootb	GET	200 — returned workflows list
/api/projects	GET	200 — returned projects
/api/projects	POST	400 on invalid name (body parsed correctly), 201 on valid name

The POST test confirms Content-Type: application/json is still being sent on mutation routes — the backend parsed the JSON body and returned a meaningful validation error, not a "can't parse request" error.

Summary by CodeRabbit

• Bug Fixes
  • Fixed HTTP request header handling across multiple API endpoints to ensure proper content-type negotiation with backend services. GET requests now correctly declare expected response format, while POST/PUT requests explicitly set request content type for improved API compatibility and reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f1768934-f4fb-459a-8234-e94bc87ac575

📥 Commits

Reviewing files that changed from the base of the PR and between 4052003 and ee6ea92.

📒 Files selected for processing (20)

• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts
• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/lib/auth.ts

✅ Files skipped from review due to trivial changes (8)

• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/lib/auth.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/feature-flags/route.ts

🚧 Files skipped from review as they are similar to previous changes (12)

• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts

---

📝 Walkthrough

Walkthrough

Updated outbound proxy headers across frontend API routes: bodyless GET proxy fetches now use Accept: application/json instead of Content-Type, and POST/PUT routes explicitly merge/override forwarded headers with Content-Type: application/json. The buildForwardHeaders default was changed to use Accept: application/json.

Changes

Cohort / File(s)	Summary
GET Proxy Routes components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/feature-flags/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts, components/frontend/src/app/api/projects/[name]/settings/route.ts	Replaced Content-Type: application/json with Accept: application/json for bodyless outbound GET fetch calls.
Auth API Routes components/frontend/src/app/api/auth/github/install/route.ts, components/frontend/src/app/api/auth/github/pat/route.ts, components/frontend/src/app/api/auth/gitlab/connect/route.ts, components/frontend/src/app/api/auth/jira/connect/route.ts	POST handlers now forward headers as { ...headers, 'Content-Type': 'application/json' } when proxying to backend.
Agentic Session Routes components/frontend/src/app/api/projects/[name]/agentic-sessions/.../route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts	POST handlers updated to merge forwarded headers with Content-Type: application/json for backend requests.
Project Management Routes components/frontend/src/app/api/projects/route.ts, components/frontend/src/app/api/projects/[name]/route.ts, components/frontend/src/app/api/projects/[name]/keys/route.ts, components/frontend/src/app/api/projects/[name]/permissions/route.ts, components/frontend/src/app/api/projects/[name]/users/forks/route.ts, components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts	POST/PUT handlers now pass headers merged with Content-Type: application/json when proxying payload-bearing requests.
Feature / Misc GETs components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts	Aligned GET proxies to use Accept: application/json (duplicate emphasis for routes audited).
Header Utility components/frontend/src/lib/auth.ts	buildForwardHeaders default changed from Content-Type: application/json to Accept: application/json.

🚥 Pre-merge checks | ✅ 6 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title clearly describes the main change but does not follow Conventional Commits format (missing type prefix like 'fix:').	Reformat title to: 'fix: replace Content-Type with Accept on bodyless GET proxy routes'
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Code changes comprehensively address all objectives in #1002: replaced Content-Type with Accept on five specified GET routes, added explicit Content-Type to 14 POST/PUT routes, audited all 94 route files, and verified via testing.
Out of Scope Changes check	✅ Passed	All changes directly relate to #1002 objectives: header fixes on GET routes, explicit Content-Type on POST/PUT routes, and lib/auth.ts default header update. No extraneous modifications detected.
Performance And Algorithmic Complexity	✅ Passed	PR contains only HTTP header semantic corrections with O(k) object spread operations on small header objects (<20 headers); no algorithmic complexity, performance regressions, or problematic patterns detected.
Security And Secret Handling	✅ Passed	No security vulnerabilities detected. Changes are HTTP header metadata only (Accept vs Content-Type). No hardcoded secrets, auth bypass, injection flaws, or data leaks introduced.
Kubernetes Resource Safety	✅ Passed	Kubernetes Resource Safety check not applicable to this PR. Changes are limited to Next.js TypeScript API route handlers fixing HTTP header semantics on fetch() calls.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeremyeder]

@ambient-code

[vishsanghishetty]

@ambient-code