Replace Content-Type with Accept on bodyless GET proxy routes

[vishsanghishetty]

Closes #1002

What changed

The root cause is buildForwardHeaders in lib/auth.ts — it unconditionally sets Content-Type: application/json on every outbound request, even GET proxies with no body. Changed it to default to Accept: application/json instead, which fixes all ~40 GET routes that use the helper in one shot.

On top of that, replaced the literal Content-Type with Accept on the 5 routes called out in the issue (version, cluster-info, settings GET, workflows/ootb, feature-flags).

Since POST/PUT routes that send a body still need Content-Type, added it explicitly to the 14 routes that were relying on the helper for it (projects, permissions, keys, auth connect routes, agentic-sessions, workflow, repos, configure-remote, feature-flag override, forks). Routes that already had explicit Content-Type (scheduled-sessions, runner-secrets, integration-secrets, agui, mcp/invoke, workspace paths) were unaffected.

Scope

Category	Count	Action
buildForwardHeaders helper	1 file	Content-Type → Accept
GET routes with literal Content-Type	5 files	replaced with Accept
POST/PUT routes with body (relied on helper)	14 files	added explicit Content-Type
POST/PUT routes with explicit Content-Type already	~10 files	no change needed
Bodyless POST/DELETE routes	~8 files	no change needed

Full audit of all 94 route files under src/app/api/ — nothing missed.

How I tested

Static analysis — tsc --noEmit, eslint on all 20 changed files, vitest run (631 passed, 0 failures).

Live testing against the Kind cluster — ran the frontend locally (Next.js dev server on port 3000) with the backend port-forwarded from the ambient-main Kind cluster, then curled every modified route type through the proxy layer:

Route	Method	Result
/api/version	GET	200 — returned version JSON
/api/cluster-info	GET	200 — returned cluster info
/api/workflows/ootb	GET	200 — returned workflows list
/api/projects	GET	200 — returned projects
/api/projects	POST	400 on invalid name (body parsed correctly), 201 on valid name

The POST test confirms Content-Type: application/json is still being sent on mutation routes — the backend parsed the JSON body and returned a meaningful validation error, not a "can't parse request" error.

Summary by CodeRabbit

• Bug Fixes
  • Standardized proxied API headers: POST/PUT now send an explicit Content-Type: application/json; GET requests now declare Accept: application/json for expected response format, improving API compatibility and reliability.
  • No other request/response behavior, status handling, or public API signatures were changed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 90e8a556-2f1c-4918-9d45-d20710dc7c6e

📥 Commits

Reviewing files that changed from the base of the PR and between ee6ea92 and b9360dc.

📒 Files selected for processing (20)

• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts
• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/lib/auth.ts

✅ Files skipped from review due to trivial changes (13)

• components/frontend/src/app/api/cluster-info/route.ts
• components/frontend/src/app/api/projects/[name]/route.ts
• components/frontend/src/app/api/feature-flags/route.ts
• components/frontend/src/lib/auth.ts
• components/frontend/src/app/api/projects/[name]/users/forks/route.ts
• components/frontend/src/app/api/auth/github/pat/route.ts
• components/frontend/src/app/api/version/route.ts
• components/frontend/src/app/api/projects/[name]/settings/route.ts
• components/frontend/src/app/api/projects/[name]/keys/route.ts
• components/frontend/src/app/api/auth/jira/connect/route.ts
• components/frontend/src/app/api/workflows/ootb/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts

🚧 Files skipped from review as they are similar to previous changes (7)

• components/frontend/src/app/api/auth/github/install/route.ts
• components/frontend/src/app/api/projects/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts
• components/frontend/src/app/api/projects/[name]/permissions/route.ts
• components/frontend/src/app/api/auth/gitlab/connect/route.ts
• components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts
• components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts

---

📝 Walkthrough

Walkthrough

Replaced inappropriate outbound Content-Type: application/json on bodyless GET proxy fetches with Accept: application/json; POST/PUT proxy handlers now merge forwarded headers and explicitly set Content-Type: application/json. The default in buildForwardHeaders was changed from Content-Type to Accept.

Changes

Cohort / File(s)	Summary
Header Utility components/frontend/src/lib/auth.ts	Changed default forwarded header from Content-Type: application/json to Accept: application/json.
Bodyless GET Proxy Routes components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/feature-flags/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts, components/frontend/src/app/api/projects/[name]/settings/route.ts	Replaced outgoing Content-Type: application/json with Accept: application/json for GET requests with no body.
Auth POST Routes components/frontend/src/app/api/auth/github/install/route.ts, components/frontend/src/app/api/auth/github/pat/route.ts, components/frontend/src/app/api/auth/gitlab/connect/route.ts, components/frontend/src/app/api/auth/jira/connect/route.ts	POST handlers now forward headers as a merged object that ensures Content-Type: application/json (was forwarding headers unchanged).
Agentic Sessions (POST) components/frontend/src/app/api/projects/[name]/agentic-sessions/.../route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/git/configure-remote/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/repos/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/workflow/route.ts	POST handlers now merge forwarded headers and explicitly set Content-Type: application/json for proxied backend requests.
Project Management POST/PUT Routes components/frontend/src/app/api/projects/route.ts, components/frontend/src/app/api/projects/[name]/route.ts, components/frontend/src/app/api/projects/[name]/keys/route.ts, components/frontend/src/app/api/projects/[name]/permissions/route.ts, components/frontend/src/app/api/projects/[name]/users/forks/route.ts, components/frontend/src/app/api/projects/[name]/feature-flags/[flagName]/override/route.ts	PUT/POST handlers now pass headers merged with Content-Type: application/json when proxying requests with bodies.
Misc GETs (audit alignment) components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts	Reiterated to use Accept: application/json on bodyless GET proxies (audit-driven alignment).

🚥 Pre-merge checks | ✅ 6 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title lacks Conventional Commits format (type(scope): description); missing type prefix like 'fix:'.	Reformat as: 'fix(api): replace Content-Type with Accept on bodyless GET proxy routes'
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	PR fully addresses #1002 requirements: replaced Content-Type with Accept on all identified GET routes, audited entire api directory, added explicit Content-Type to 14 POST/PUT routes, verified testing passes.
Out of Scope Changes check	✅ Passed	All changes align with #1002 scope: fixes GET routes per spec and ensures POST/PUT routes retain proper Content-Type, staying within audit boundaries.
Performance And Algorithmic Complexity	✅ Passed	PR modifies HTTP request headers in Next.js API proxy routes with O(1) complexity; no performance regressions or algorithmic issues introduced.
Security And Secret Handling	✅ Passed	No security violations detected. PR modifies only HTTP headers (Accept vs Content-Type) on bodyless requests with no impact on authentication, authorization, secrets, or data handling.
Kubernetes Resource Safety	✅ Passed	PR modifications are exclusively TypeScript API route handlers updating HTTP headers. No Kubernetes resources modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeremyeder]

@ambient-code

[vishsanghishetty]

@ambient-code