Replace Content-Type with Accept on bodyless GET proxy routes

[vishsanghishetty]

Closes #1002

What changed

The root cause is buildForwardHeaders in lib/auth.ts — it unconditionally sets Content-Type: application/json on every outbound request, even GET proxies with no body. Changed it to default to Accept: application/json instead, which fixes all ~40 GET routes that use the helper in one shot.

On top of that, replaced the literal Content-Type with Accept on the 5 routes called out in the issue (version, cluster-info, settings GET, workflows/ootb, feature-flags).

Since POST/PUT routes that send a body still need Content-Type, added it explicitly to the 14 routes that were relying on the helper for it (projects, permissions, keys, auth connect routes, agentic-sessions, workflow, repos, configure-remote, feature-flag override, forks). Routes that already had explicit Content-Type (scheduled-sessions, runner-secrets, integration-secrets, agui, mcp/invoke, workspace paths) were unaffected.

Scope

Category	Count	Action
buildForwardHeaders helper	1 file	Content-Type → Accept
GET routes with literal Content-Type	5 files	replaced with Accept
POST/PUT routes with body (relied on helper)	14 files	added explicit Content-Type
POST/PUT routes with explicit Content-Type already	~10 files	no change needed
Bodyless POST/DELETE routes	~8 files	no change needed

Full audit of all 94 route files under src/app/api/ — nothing missed.

How I tested

Static analysis — tsc --noEmit, eslint on all 20 changed files, vitest run (631 passed, 0 failures).

Live testing against the Kind cluster — ran the frontend locally (Next.js dev server on port 3000) with the backend port-forwarded from the ambient-main Kind cluster, then curled every modified route type through the proxy layer:

Route	Method	Result
/api/version	GET	200 — returned version JSON
/api/cluster-info	GET	200 — returned cluster info
/api/workflows/ootb	GET	200 — returned workflows list
/api/projects	GET	200 — returned projects
/api/projects	POST	400 on invalid name (body parsed correctly), 201 on valid name

The POST test confirms Content-Type: application/json is still being sent on mutation routes — the backend parsed the JSON body and returned a meaningful validation error, not a "can't parse request" error.

Summary by CodeRabbit

• Bug Fixes
  • Standardized proxied API headers: write operations (POST/PUT) now include an explicit Content-Type: application/json; read operations (GET) now use Accept: application/json to request JSON responses.
  • No other request/response behavior, status handling, or public API signatures were changed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9c2f6a15-2abb-46e4-97c1-d2fc67267f6b

📥 Commits

Reviewing files that changed from the base of the PR and between b9360dc and 57325a7.

📒 Files selected for processing (20)

• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts
• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/lib/auth.ts

✅ Files skipped from review due to trivial changes (12)

• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/lib/auth.ts

🚧 Files skipped from review as they are similar to previous changes (7)

• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/auth/github/install/route.ts

---

📝 Walkthrough

Walkthrough

Replaced outbound Content-Type: application/json with Accept: application/json for bodyless GET proxy fetches; POST/PUT proxy handlers now merge forwarded headers and explicitly set Content-Type: application/json. The default in buildForwardHeaders was changed from Content-Type to Accept.

Changes

Cohort / File(s)	Summary
Header Utility components/frontend/src/lib/auth.ts	Default forwarded header changed from Content-Type: application/json to Accept: application/json.
Bodyless GET Proxy Routes components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/feature-flags/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts, components/frontend/src/app/api/projects/[name]/settings/route.ts	Replaced outgoing Content-Type: application/json with Accept: application/json for GET requests without a body.
Auth POST Routes components/frontend/src/app/api/auth/github/install/route.ts, components/frontend/src/app/api/auth/github/pat/route.ts, components/frontend/src/app/api/auth/gitlab/connect/route.ts, components/frontend/src/app/api/auth/jira/connect/route.ts	POST handlers now send merged headers that explicitly set Content-Type: application/json when proxying.
Agentic Sessions (POST) components/frontend/src/app/api/projects/[name]/agentic-sessions/.../route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts	POST handlers now merge forwarded headers and explicitly set Content-Type: application/json for proxied backend requests.
Project Management POST/PUT Routes components/frontend/src/app/api/projects/route.ts, components/frontend/src/app/api/projects/[name]/route.ts, components/frontend/src/app/api/projects/[name]/keys/route.ts, components/frontend/src/app/api/projects/[name]/permissions/route.ts, components/frontend/src/app/api/projects/[name]/users/forks/route.ts, components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts	PUT/POST handlers now pass headers merged with Content-Type: application/json when proxying requests with bodies.
Misc GETs (audit alignment) components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts	Reaffirmed use of Accept: application/json on bodyless GET proxies.

🚥 Pre-merge checks | ✅ 6 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	PR title does not follow Conventional Commits format (missing type prefix like 'fix', 'feat', 'chore', etc.).	Rename title to 'fix: replace Content-Type with Accept on bodyless GET proxy routes' to comply with Conventional Commits format.
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Changes fully implement issue #1002 requirements: replaced Content-Type with Accept on bodyless GET routes, added explicit Content-Type to POST/PUT routes, and audited all 94 route files.
Out of Scope Changes check	✅ Passed	All 19 modified files are in scope: five GET routes updated per #1002, 14 POST/PUT routes augmented with explicit Content-Type for consistency, and lib/auth.ts base helper adjusted accordingly.
Performance And Algorithmic Complexity	✅ Passed	All changes are constant-time HTTP header semantic corrections with zero algorithmic or performance implications. No O(n²) algorithms, N+1 patterns, expensive loops, unbounded resource growth, or frontend performance issues introduced.
Security And Secret Handling	✅ Passed	PR makes HTTP semantic corrections without introducing security vulnerabilities; auth headers properly forwarded via buildForwardHeadersAsync with no hardcoded secrets or injection risks.
Kubernetes Resource Safety	✅ Passed	PR modifies only TypeScript application code for Next.js API routes; no Kubernetes manifests are changed, making the resource safety check inapplicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeremyeder]

@ambient-code

[vishsanghishetty]

@ambient-code