Supabase should be sending X-Supabase-API-Version in Access-Control-Allow-Headers HTTP header #1589
Labels
bug
Something isn't working
Comments
uxodb
pushed a commit
to uxodb/auth
that referenced
this issue
Nov 13, 2024
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this issue
Nov 13, 2024
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this issue
Nov 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello everyone,
This is probably minor issue, but in cross-origin setups, the default configuration of
supabase/authdoes not work properly with relatively new versions onsupabase/auth-js. #1377 introduced handling ofX-Supabase-Api-Versionheader as a mechanism to choose corresponding API version, and inauth-jsthe client-side of this was implemented in supabase/auth-js#855.Notice however, that this new header is not present in default CORS config in
auth, as defined in internal/api/api.go line 289 thus not present inAccess-Control-Allow-Headersheader thatsupabase/authsends. This breaks existing cross-origin setups if you update to versions past PRs mentioned.There is simple fix of adding
GOTRUE_CORS_ALLOWED_HEADERS=X-Supabase-Api-Versionto environment variables, it is however not documented.Therefore I'd suggest either adding
"X-Supabase-Api-Version"(orAPIVersionHeaderName) to default allowed headers for CORS, or addGOTRUE_CORS_ALLOWED_HEADERSenv variable information to README (or both).Thank you for all the great software,
BR,
ympek
The text was updated successfully, but these errors were encountered: