fix(sessions): guard /api/sessions against non-JSON (HTML) responses (#570, #573)

fetchSessions now sends accept: application/json, verifies the content-type is
JSON before parsing, and validates the response shape. When an auth/proxy layer
intercepts /api/sessions and returns HTML, the user gets a clear error instead
of a React crash from JSON.parse on '<!doctype html>'.
This commit is contained in:
Aurora
2026-06-05 15:49:22 -04:00
parent 9e1b0b0fe9
commit eab27ac3bf

View File

@@ -203,11 +203,25 @@ export async function sendToSession(
}
export async function fetchSessions(): Promise<GatewaySessionsResponse> {
const response = await fetch(makeEndpoint('/api/sessions'))
const response = await fetch(makeEndpoint('/api/sessions'), {
headers: { accept: 'application/json' },
})
if (!response.ok) {
throw new Error(await readError(response))
}
return (await response.json()) as GatewaySessionsResponse
const contentType = response.headers.get('content-type') ?? ''
if (!contentType.toLowerCase().includes('application/json')) {
throw new Error(
'Session API returned non-JSON content. Your auth/proxy may have intercepted /api/sessions.',
)
}
const payload = (await response.json()) as GatewaySessionsResponse
if (!Array.isArray(payload.sessions)) {
throw new Error('Session API returned an unexpected response shape')
}
return payload
}
export async function fetchSessionStatus(