fix: prevent request hanging in Bun by selectively forwarding headers

[shrutikcs]

This PR fixes an issue where internal authentication requests hang indefinitely when running in the Bun runtime.

When using Bun with Next.js, the integration encounters two main issues during server-side authentication:

• Read-only Headers: next/headers() returns a read-only Headers object.
• Header Forwarding (Content-Length): All headers from the original incoming request were being forwarded to the internal Convex auth request. If the original request was a POST (e.g., a form submission), it included a Content-Length header. Forwarding this to an internal request with no body causes the server to wait indefinitely for data that never arrives.

Solution:

Modified the getToken logic to:

• Create a new, mutable Headers object.
• Selectively forward only the essential headers (cookie and user-agent).
  This prevents problematic headers like Content-Length or Host from being incorrectly carried over.

Fixes #249

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Summary by CodeRabbit

• Bug Fixes
  • Improved token retrieval to ensure proper propagation of cookie and user-agent headers from request context, enhancing reliability of authentication flows.

[vercel]

@shrutikcs is attempting to deploy a commit to the Convex Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The token retrieval logic in Next.js integration now selectively forwards only cookie and user-agent headers to getToken instead of passing all request headers directly, preventing header mismatches during token acquisition.

Changes

Cohort / File(s)	Summary
Header propagation in token retrieval src/nextjs/index.ts	Modified header handling to create a mutable Headers object and selectively copy only cookie and user-agent headers when present, instead of forwarding all headers from the request.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Headers were tangled in Bun's web today,
But now we pick cookies the proper way,
Just cookie and user-agent, nothing more,
No Content-Length chaos to settle the score!
A selective forward, both humble and bright,
Makes fetchAuthMutation work just right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: preventing request hanging in Bun by selectively forwarding headers, which directly matches the implemented solution.
Linked Issues check	✅ Passed	The code changes implement selective header forwarding (cookie and user-agent only) as proposed in issue #249, directly addressing the Bun/Next.js hanging issue.
Out of Scope Changes check	✅ Passed	All changes in src/nextjs/index.ts are directly scoped to fixing the header handling for token retrieval, with no unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

• ✨ 136.113.208.247/32 (new)
• 34.170.211.100/32
• 35.222.179.152/32

Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}