fix: token check route is GET not POST

[leonardmq]

PR going into #882

What does this PR do?

The route called by the endpoint that verifies the Copilot token was POST, but server expects GET.

Checklists

• Tests have been run locally and passed
• New tests have been added to any work in /lib

Summary by CodeRabbit

• Refactor

  • Kiln Copilot API verification now uses GET requests instead of POST requests
  • Validation determines key validity based on 200 status response from server

• Tests

  • Updated test cases to reflect API verification method changes

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The Kiln Copilot key verification method changes from POST to GET request. The implementation now validates the key by sending a GET request to the Kiln server and considers the key valid upon receiving a 200 status code, storing it accordingly; non-200 responses return the error content with the corresponding status code. The test suite is updated to reflect this HTTP method change.

Changes

Cohort / File(s)	Summary
Kiln Copilot verification HTTP method update app/desktop/studio_server/provider_api.py, app/desktop/studio_server/test_provider_api.py	Changed Kiln Copilot key verification from POST to GET request; updated corresponding test mock to use GET method instead of POST

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

• Straightforward HTTP method change with no logic modifications
• Homogeneous update (same change pattern applied consistently across implementation and test)

Poem

🐰 A POST once verified our copilot's grace,
Now GET takes its place, a faster pace!
Two hundred status codes gleam with delight,
The key is now stored when the response shines bright! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing the HTTP method for the token check route from POST to GET.
Description check	✅ Passed	The description includes the primary section 'What does this PR do?' explaining the fix, mentions it targets PR #882, and confirms checklist items for testing and new tests.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch leonard/fix-verify-token-route

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b76fe89 and 7ec1672.

📒 Files selected for processing (2)

• app/desktop/studio_server/provider_api.py (1 hunks)
• app/desktop/studio_server/test_provider_api.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*test*.py

📄 CodeRabbit inference engine (.cursor/rules/project.mdc)

Use pytest for testing Python code

Files:

• app/desktop/studio_server/test_provider_api.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/project.mdc)

**/*.py: Use asyncio for asynchronous operations in Python
Use Pydantic v2 (not v1) for data validation

**/*.py: Use Pydantic v2, not v1
Use asyncio for asynchronous operations in Python

Files:

• app/desktop/studio_server/test_provider_api.py
• app/desktop/studio_server/provider_api.py

app/desktop/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

Use Python 3.13 for the desktop application (app/desktop)

Files:

• app/desktop/studio_server/test_provider_api.py
• app/desktop/studio_server/provider_api.py

**/test_*.py

📄 CodeRabbit inference engine (AGENTS.md)

Use pytest for testing in Python

Files:

• app/desktop/studio_server/test_provider_api.py

{libs/server,app/desktop/studio_server}/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

Use FastAPI for REST server implementation

Files:

• app/desktop/studio_server/test_provider_api.py
• app/desktop/studio_server/provider_api.py

🧠 Learnings (1)

📓 Common learnings

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 546
File: app/web_ui/src/routes/(app)/docs/library/[project_id]/upload_file_dialog.svelte:107-120
Timestamp: 2025-09-10T08:32:18.688Z
Learning: leonardmq prefers to work within the constraints of their SDK codegen for API calls, even when typing is awkward (like casting FormData to match expected types), rather than using alternative approaches like native fetch that would cause compiler errors with their generated types.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 413
File: libs/core/kiln_ai/datamodel/chunk.py:138-160
Timestamp: 2025-08-22T11:17:56.862Z
Learning: leonardmq prefers to avoid redundant validation checks when upstream systems already guarantee preconditions are met. He trusts the attachment system to ensure paths are properly formatted and prefers letting the attachment method (resolve_path) handle any edge cases rather than adding defensive precondition checks.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 390
File: libs/core/kiln_ai/adapters/provider_tools.py:494-499
Timestamp: 2025-07-23T08:58:45.769Z
Learning: leonardmq prefers to keep tightly coupled implementation details (like API versions) hardcoded when they are not user-facing and could break other modules if changed. The shared Config class is reserved for user-facing customizable values, not internal implementation details.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 341
File: libs/server/kiln_server/document_api.py:44-51
Timestamp: 2025-06-18T08:22:58.510Z
Learning: leonardmq prefers to defer fixing blocking I/O in async handlers when: the operation is very fast (milliseconds), user-triggered rather than automated, has no concurrency concerns, and would require additional testing to fix properly. He acknowledges such issues as valid but makes pragmatic decisions about timing the fixes.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 487
File: libs/core/kiln_ai/datamodel/rag.py:33-35
Timestamp: 2025-09-04T06:45:44.212Z
Learning: leonardmq requires vector_store_config_id to be a mandatory field in RagConfig (similar to extractor_config_id, chunker_config_id, embedding_config_id) for consistency. He prefers fixing dependent code that breaks due to missing required fields rather than making fields optional to accommodate incomplete data.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 654
File: app/web_ui/src/routes/(app)/docs/rag_configs/[project_id]/create_rag_config/edit_rag_config_form.svelte:141-152
Timestamp: 2025-09-25T06:38:14.854Z
Learning: leonardmq prefers simple onMount initialization patterns over reactive statements when possible, and is cautious about maintaining internal state for idempotency in Svelte components. He values simplicity and safety in component lifecycle management.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 402
File: libs/core/kiln_ai/adapters/embedding/litellm_embedding_adapter.py:0-0
Timestamp: 2025-07-14T03:43:07.283Z
Learning: leonardmq prefers to keep defensive validation checks even when they're technically redundant, viewing them as useful "quick sanity checks" that provide additional safety nets. He values defensive programming over strict DRY (Don't Repeat Yourself) principles when the redundant code serves as a safeguard.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 546
File: app/web_ui/src/lib/api_schema.d.ts:0-0
Timestamp: 2025-09-10T08:27:47.227Z
Learning: leonardmq correctly identifies auto-generated files and prefers not to manually edit them. When suggesting changes to generated TypeScript API schema files, the fix should be made in the source OpenAPI specification in the backend, not in the generated TypeScript file.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 487
File: libs/core/kiln_ai/adapters/vector_store/lancedb_adapter.py:136-150
Timestamp: 2025-09-04T06:34:12.318Z
Learning: leonardmq prefers brute force re-insertion of all chunks when partial chunks exist in the LanceDB vector store, rather than selectively inserting only missing chunks. His reasoning is that documents typically have only dozens of chunks (making overwriting cheap), and partial insertion likely indicates data corruption or conflicts that should be resolved by re-inserting all chunks to ensure consistency.

Learnt from: leonardmq
Repo: Kiln-AI/Kiln PR: 487
File: libs/core/kiln_ai/adapters/vector_store/lancedb_adapter.py:98-103
Timestamp: 2025-09-04T07:08:04.248Z
Learning: leonardmq prefers to let TableNotFoundError bubble up in delete_nodes_by_document_id operations rather than catching it, as this error indicates operations are being done in the wrong order on the caller side and should be surfaced as a programming error rather than handled gracefully.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Generate Coverage Report
• GitHub Check: Build Desktop Apps (ubuntu-22.04)
• GitHub Check: Build Desktop Apps (macos-15-intel)
• GitHub Check: Build Desktop Apps (ubuntu-22.04-arm)
• GitHub Check: Build Desktop Apps (windows-latest)
• GitHub Check: Build Desktop Apps (macos-latest)

🔇 Additional comments (2)

app/desktop/studio_server/provider_api.py (1)

1156-1182: LGTM! HTTP method correction aligns with server expectations.

The change from POST to GET is correct for a token verification endpoint. GET is semantically appropriate for read-only verification operations, and the implementation properly uses Authorization headers rather than query parameters, maintaining security.

app/desktop/studio_server/test_provider_api.py (1)

137-157: LGTM! Test properly updated to reflect GET method.

The test mock has been correctly updated from httpx.AsyncClient.post to httpx.AsyncClient.get, maintaining proper test coverage for the Kiln Copilot verification flow.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📊 Coverage Report

Overall Coverage: 92%

Diff: origin/dchiang/KIL-236/kinde-auth...HEAD

• app/desktop/studio_server/provider_api.py (100%)

Summary

• Total: 1 line
• Missing: 0 lines
• Coverage: 100%

---

• 📊 HTML Coverage Report - Interactive coverage report
• 📈 Diff Coverage Report - Detailed diff analysis
• Github Actions Run - View the full coverage report