fix(storage): avoid duplicate Content-Type headers and header mutation (#1359)

* fix(storage): avoid duplicate Content-Type headers and header mutation

In _handleRequest, the headers map was being mutated directly by adding
Content-Type: application/json. This meant:

1. The stored headers map on StorageFileApi/_StorageBucketApi was permanently
   mutated after each non-GET request, accumulating Content-Type.
2. Custom Content-Type headers set via setHeader() were overwritten
   unconditionally, ignoring caller intent.

Fix: copy headers before modifying, and use a case-insensitive check
for an existing Content-Type before setting the application/json default.

Linear: SDK-881

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style(storage): format fetch.dart

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Update packages/storage_client/lib/src/fetch.dart

Co-authored-by: Vinzent <vinzent03@proton.me>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Vinzent <vinzent03@proton.me>

Author: 3 people

packages/storage_client/lib/src/fetch.dart

@@ -69,9 +69,13 @@ class Fetch {
     Map<String, dynamic>? body,
     FetchOptions? options,
   ) async {
-    final headers = options?.headers ?? {};
+    final headers = {...?options?.headers};
     if (method != 'GET') {
-      headers['Content-Type'] = 'application/json';
+      final hasContentType =
+          headers.keys.any((key) => key.toLowerCase() == 'content-type');
+      if (!hasContentType) {
+        headers['Content-Type'] = 'application/json';
+      }
     }
 
     final request = http.Request(method, Uri.parse(url))

packages/storage_client/test/client_test.dart

@@ -608,4 +608,58 @@ void main() {
       );
     });
   });
+
+  group('Content-Type header handling', () {
+    late CustomHttpClient customHttpClient;
+    late SupabaseStorageClient client;
+
+    setUp(() {
+      customHttpClient = CustomHttpClient();
+      client = SupabaseStorageClient(
+        storageUrl,
+        {'Authorization': 'Bearer $storageKey'},
+        httpClient: customHttpClient,
+      );
+    });
+
+    test('defaults to application/json for non-GET requests', () async {
+      customHttpClient.response = {'message': 'Emptied'};
+      customHttpClient.statusCode = 200;
+
+      await client.emptyBucket('bucket1');
+
+      expect(customHttpClient.receivedRequests.length, 1);
+      expect(
+        customHttpClient.receivedRequests.first.headers['content-type'],
+        contains('application/json'),
+      );
+    });
+
+    test('preserves custom Content-Type set via setHeader', () async {
+      customHttpClient.response = {'message': 'Emptied'};
+      customHttpClient.statusCode = 200;
+
+      client.setHeader('Content-Type', 'application/octet-stream');
+      await client.emptyBucket('bucket1');
+
+      expect(customHttpClient.receivedRequests.length, 1);
+      expect(
+        customHttpClient.receivedRequests.first.headers['content-type'],
+        startsWith('application/octet-stream'),
+      );
+    });
+
+    test('does not mutate the stored headers map after a non-GET request',
+        () async {
+      customHttpClient.response = [];
+      customHttpClient.statusCode = 200;
+
+      final fileApi = client.from('test-bucket');
+      final headersBefore = Map<String, String>.from(fileApi.headers);
+
+      await fileApi.list();
+
+      expect(fileApi.headers, equals(headersBefore));
+    });
+  });
 }