edge-runtime
edge-runtime copied to clipboard
supabase
Set CORS headers for Edge Functions 401 response
Bug report
Originally posted in the main supabase repo, but reposting here as it seems to have regressed.
Describe the bug
When attempting to call an edge function with a bad token, the function rightly issues a 401 response. However, while CORS headers appear to be set for the preflight OPTIONS request, they are not for the subsequent POST request, resulting in the browser seeing a failed fetch rather than the 401 response.
Please note that this is not to do with setting cors headers within the function, as with a bad token the function code is never reached.
To Reproduce
fetch(
import.meta.env.SUPABASE_FUNCTION_URL,
{
method: "POST",
headers: {
Authorization: "Bearer bad-token",
"Content-Type": "application/json",
},
}
)
.then((res) => {
console.log(res);
})
.catch((error) => {
console.log(error);
});
When CORS is enabled in the browser, an error is caught. With CORS disabled (in the browser), the response is properly logged.
Expected behavior
The response should have appropriate CORS headers set.
System information
- OS: OS X 12.5.1
- Browser: Brave (also confirmed in Chrome)
I have just done some further testing, and can verify that this does not occur in a production supabase function.
Transferring to edge runtime repo. Not sure if this is still reproducible now that we have switched out of deno container completely.
