Replace Content-Type with Accept on bodyless GET proxy routes

[vishsanghishetty]

Closes #1002

What changed

The root cause is buildForwardHeaders in lib/auth.ts — it unconditionally sets Content-Type: application/json on every outbound request, even GET proxies with no body. Changed it to default to Accept: application/json instead, which fixes all ~40 GET routes that use the helper in one shot.

On top of that, replaced the literal Content-Type with Accept on the 5 routes called out in the issue (version, cluster-info, settings GET, workflows/ootb, feature-flags).

Since POST/PUT routes that send a body still need Content-Type, added it explicitly to the 14 routes that were relying on the helper for it (projects, permissions, keys, auth connect routes, agentic-sessions, workflow, repos, configure-remote, feature-flag override, forks). Routes that already had explicit Content-Type (scheduled-sessions, runner-secrets, integration-secrets, agui, mcp/invoke, workspace paths) were unaffected.

Scope

Category	Count	Action
buildForwardHeaders helper	1 file	Content-Type → Accept
GET routes with literal Content-Type	5 files	replaced with Accept
POST/PUT routes with body (relied on helper)	14 files	added explicit Content-Type
POST/PUT routes with explicit Content-Type already	~10 files	no change needed
Bodyless POST/DELETE routes	~8 files	no change needed

Full audit of all 94 route files under src/app/api/ — nothing missed.

How I tested

Static analysis — tsc --noEmit, eslint on all 20 changed files, vitest run (631 passed, 0 failures).

Live testing against the Kind cluster — ran the frontend locally (Next.js dev server on port 3000) with the backend port-forwarded from the ambient-main Kind cluster, then curled every modified route type through the proxy layer:

Route	Method	Result
/api/version	GET	200 — returned version JSON
/api/cluster-info	GET	200 — returned cluster info
/api/workflows/ootb	GET	200 — returned workflows list
/api/projects	GET	200 — returned projects
/api/projects	POST	400 on invalid name (body parsed correctly), 201 on valid name

The POST test confirms Content-Type: application/json is still being sent on mutation routes — the backend parsed the JSON body and returned a meaningful validation error, not a "can't parse request" error.

[coderabbitai]

📝 Walkthrough

Walkthrough

HTTP header corrections across API proxy routes. GET requests now use Accept: application/json instead of Content-Type, while POST/PUT/PATCH requests explicitly set Content-Type: application/json. The default header utility also updated to use Accept for consistency.

Changes

Cohort / File(s)	Summary
GET Proxy Routes components/frontend/src/app/api/version/route.ts, components/frontend/src/app/api/cluster-info/route.ts, components/frontend/src/app/api/feature-flags/route.ts, components/frontend/src/app/api/workflows/ootb/route.ts, components/frontend/src/app/api/projects/[name]/settings/route.ts	Replaced Content-Type: application/json with Accept: application/json on bodyless GET requests (Content-Type is semantically incorrect for requests without a body).
Auth API Routes components/frontend/src/app/api/auth/github/install/route.ts, components/frontend/src/app/api/auth/github/pat/route.ts, components/frontend/src/app/api/auth/gitlab/connect/route.ts, components/frontend/src/app/api/auth/jira/connect/route.ts	Added explicit Content-Type: application/json header to POST requests forwarded to backend.
Agentic Session Routes components/frontend/src/app/api/projects/[name]/agentic-sessions/[sessionName]/{git/configure-remote,repos,workflow}/route.ts, components/frontend/src/app/api/projects/[name]/agentic-sessions/route.ts	Added explicit Content-Type: application/json header to POST requests forwarded to backend.
Project Management Routes components/frontend/src/app/api/projects/{route.ts,[name]/{keys,permissions,route.ts,feature-flags/[flagName]/override}/route.ts}, components/frontend/src/app/api/projects/[name]/users/forks/route.ts	Added explicit Content-Type: application/json header to POST/PUT requests forwarded to backend.
Header Utility components/frontend/src/lib/auth.ts	Updated buildForwardHeaders function to set Accept: application/json instead of Content-Type: application/json as default forwarded header.

🚥 Pre-merge checks | ✅ 6 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	⚠️ Warning	Title describes the main change (replacing Content-Type with Accept on GET routes) but doesn't follow Conventional Commits format (missing type prefix like 'fix' or 'chore').	Reformat title to Conventional Commits format: 'fix: replace Content-Type with Accept on bodyless GET proxy routes' or similar.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR fully addresses issue #1002: modified 5 GET routes to use Accept header, updated buildForwardHeaders default, and added explicit Content-Type to 14 POST/PUT routes.
Out of Scope Changes check	✅ Passed	All changes are in-scope: replacing Content-Type with Accept on GET routes, updating buildForwardHeaders helper, and ensuring POST/PUT routes retain Content-Type.
Performance And Algorithmic Complexity	✅ Passed	PR modifies only HTTP header configurations (Content-Type/Accept) in API routes with zero algorithmic complexity, loops, N+1 patterns, or expensive operations.
Security And Secret Handling	✅ Passed	PR modifies only HTTP header metadata on routes; all authentication/authorization mechanisms remain intact with bearer tokens and identity headers properly forwarded.
Kubernetes Resource Safety	✅ Passed	PR modifies only Next.js API routes and auth utilities; Kubernetes manifests in ./components/manifests/ remain untouched.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}