VIA-357 MD/DB Fix middleware adding extra request headers to only modify request, not response

donna-belsey-nhs · donna-belsey-nhs · commit 64f73f385004 · 2025-09-29T17:24:42.000+01:00
In the previous implementation the headers sent into the
NextResponse.next method get applied to both the inbound reuqest AND
override the response headers as well. This unintended manipulation of
the response headers causes errors when calling Server Actions, where
next.js expects a particular content-type in the response and the
framework will throw an unhandled error if the header is not set as
expected.
diff --git a/src/middleware.ts b/src/middleware.ts
@@ -33,7 +33,9 @@ const middlewareWrapper = async (request: NextRequest) => {
     log.info({ context: { nextUrl: request.nextUrl.href } }, "Missing user session, redirecting to login");
     response = NextResponse.redirect(new URL(config.NHS_APP_REDIRECT_LOGIN_URL));
   } else {
-    response = NextResponse.next({ headers });
+    response = NextResponse.next({
+      request: { headers: headers },
+    });
   }
 
   profilePerformanceEnd(MiddlewarePerformanceMarker);
