Skip to content

Fix PATCH requests failing when using function-based headers for authentication #648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 2 commits into from
Closed

Fix PATCH requests failing when using function-based headers for authentication #648

Copilot wants to merge 2 commits into from

Conversation

Copy link

Copilot AI commented Feb 5, 2026
edited
Loading

PATCH requests fail with "content-type 'application/ld+json' not supported" when implementing authentication using function-based headers (as shown in the documentation example). The dataProvider sets content-type: application/merge-patch+json for PATCH operations, but this header is lost during authentication header injection.

Root Cause

fetchHydra.ts only handled header merging when headers were NOT a function, leaving function-based headers (type () => HeadersInit) unprocessed:

// Before: only merged headers if NOT a function
if (typeof requestHeaders !== 'function' && options.user && ...) {
  requestHeaders = new Headers(requestHeaders);
  requestHeaders.set('Authorization', options.user.token);
}

Changes

  • Always resolve function headers before merging with authentication header
  • Convert to Headers object consistently regardless of input type
  • Follows the same pattern already used in openapi/dataProvider.ts:16
// After: resolve function headers, then merge
if (typeof requestHeaders === 'function') {
  requestHeaders = requestHeaders();
}
requestHeaders = new Headers(requestHeaders);
if (options.user && options.user.authenticated && options.user.token) {
  requestHeaders.set('Authorization', options.user.token);
}

This preserves critical headers like content-type: application/merge-patch+json while adding authentication headers.

Original prompt

This section details on the original issue you should resolve

<issue_title>Authentication breaks PATCH requests</issue_title>
<issue_description>API Platform version(s) affected: 4.0.11

Description
Authentication based on the example from docs https://api-platform.com/docs/admin/authentication-support/ leads to the weird side effect - PATCH requests fail with error stating that The content-type "application/ld+json" is not supported. Supported MIME types are "application/merge-patch+json".' Everything else works reasonably good, only PATCH is failing.

How to reproduce
Implement dataProvider accordingly to the docs.
Try to update entity via admin.
</issue_description>

<agent_instructions>Fix this issue</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@slax57 Looking at a similar issue (https://github.com//issues/578) made me wonder if this could be caused by this code: 
const getHeaders = () =>
  localStorage.getItem("token")
    ? { Authorization: `Bearer ${localStorage.getItem("token")}` }
    : {};

const fetchHydra = (url, options = {}) =>
  baseFetchHydra(url, {
    ...options,
    headers: getHeaders,
  });

Indeed this seems to override any headers that could be present in options, so it could loose the content-type header in the process.

Can you try to merge the headers instead to see if this solves your issue?

const fetchHydra = (url, options = {}) =>
  baseFetchHydra(url, {
    ...options,
    headers: () => ({ ...options.headers(), ...getHeaders() }),
  });
```</body></comment_new>
</comments>

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@soyuka
Fix PATCH authentication by properly merging headers
d5e80ad 
Modified fetchHydra.ts to handle headers whether they are functions or objects, properly merging Authorization header with existing headers like content-type. This fixes the issue where PATCH requests fail with authentication due to content-type header being lost.

Co-authored-by: soyuka <1321971+soyuka@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix authentication issues causing PATCH requests to fail Fix PATCH requests failing when using function-based headers for authentication Feb 5, 2026
Copilot AI requested a review from soyuka February 5, 2026 14:45
@vincentchalamon
Copy link
Contributor

vincentchalamon commented Feb 5, 2026

No bug to fix, all done here: api-platform/demo#589

@vincentchalamon vincentchalamon deleted the copilot/fix-patch-request-authentication branch February 5, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@soyuka soyuka Awaiting requested review from soyuka

Assignees

@soyuka soyuka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Authentication breaks PATCH requests

3 participants

@vincentchalamon @soyuka