Supabase should be sending X-Supabase-API-Version in Access-Control-Allow-Headers HTTP header

[ympek]

Hello everyone,

This is probably minor issue, but in cross-origin setups, the default configuration of supabase/auth does not work properly with relatively new versions on supabase/auth-js. #1377 introduced handling of X-Supabase-Api-Version header as a mechanism to choose corresponding API version, and in auth-js the client-side of this was implemented in https://github.com/supabase/auth-js/pull/855.

Notice however, that this new header is not present in default CORS config in auth, as defined in internal/api/api.go line 289 thus not present in Access-Control-Allow-Headers header that supabase/auth sends. This breaks existing cross-origin setups if you update to versions past PRs mentioned.

There is simple fix of adding GOTRUE_CORS_ALLOWED_HEADERS=X-Supabase-Api-Version to environment variables, it is however not documented.

Therefore I'd suggest either adding "X-Supabase-Api-Version" (or APIVersionHeaderName) to default allowed headers for CORS, or add GOTRUE_CORS_ALLOWED_HEADERS env variable information to README (or both).

Thank you for all the great software, BR, ympek