supabase icon indicating copy to clipboard operation
supabase copied to clipboard

Published 20 hours ago verified publisher icon supabase

Set CORS headers for Edge Functions 401 response

Open acurrieclark opened this issue 1 year ago • 6 comments

Bug report

Describe the bug

When attempting to call an edge function with a bad token, the function rightly issues a 401 response. However, while CORS headers appear to be set for the preflight OPTIONS request, they are not for the subsequent POST request, resulting in the browser seeing a failed fetch rather than the 401 response.

To Reproduce

fetch(
    import.meta.env.SUPABASE_FUNCTION_URL,
  {
    method: "POST",
    headers: {
      Authorization: "Bearer bad-token",
      "Content-Type": "application/json",
    },
  }
)
  .then((res) => {
    console.log(res);
  })
  .catch((error) => {
    console.log(error);
  });

When CORS is enabled in the browser, an error is caught. With CORS disabled (in the browser), the response is properly logged.

Expected behavior

The response should have appropriate CORS headers set.

System information

  • OS: OS X 12.5.1
  • Browser: Brave (also confirmed in Chrome)

acurrieclark avatar Oct 06 '22 12:10 acurrieclark

@acurrieclark You will need to add a CORS check on your function. Check the example in the guide on how to implement it in your function.

laktek avatar Oct 07 '22 05:10 laktek

I have a CORS check in my function. What I am saying is that if I hit the endpoint with a bad token, it never reaches the function itself and the 401 response (which I have no control over) doesn’t include CORS headers.

acurrieclark avatar Oct 07 '22 06:10 acurrieclark

Sorry misunderstood your question. Looks like this is a bug in our end. Will post a fix for it this week.

laktek avatar Oct 09 '22 22:10 laktek

We've deployed a fix for this issue. Can you check if the error statuses are returned correctly on your functions?

laktek avatar Oct 11 '22 03:10 laktek

Works as expected locally. Will close for now and reopen if it doesn't work in production.

Thanks so much for the quick turnaround.

acurrieclark avatar Oct 11 '22 14:10 acurrieclark

I am finding this same issue has popped back up on a new project of mine. Same issue, currently running on a local dev Supabase function.

acurrieclark avatar Nov 17 '22 14:11 acurrieclark

@acurrieclark Is this still an issue for you, or did it get resolved. Not much info in your last post and getting stale.

GaryAustin1 avatar Feb 10 '23 02:02 GaryAustin1

Hi @GaryAustin1, good point. Not checked in a while. Will update to the latest version of CLI and test for you now.

acurrieclark avatar Feb 10 '23 16:02 acurrieclark

Just run another test, and I can confirm that I am still seeing the error. It just means that I need to handle to error with an extra try/catch block outside any fetch request. Note that this only happens when the bearer token is not valid

try {
  fetch(import.meta.env.SUPABASE_FUNCTION_URL, {
    method: "POST",
    headers: {
      Authorization: "Bearer bad-token",
      "Content-Type": "application/json",
    },
  })
  .then((res) => {
    console.log(res);
  })
  .catch((error) => {
    // most errors would be caught here, for example a deliberately thrown error response
    // from within the application
    console.log(error);
  });
} catch (error) {
  // the 401 response which is sent before the function has even been run does not have 
  // CORS headers, so it doesn't even hit our catch on the fetch
  console.log(error);
}

This was previously fixed, but seems to have regressed.

acurrieclark avatar Feb 10 '23 17:02 acurrieclark

Hey @acurrieclark - in the last year we have made lots of changes around Edge Functions, are you still seeing this issue now?

Since it has been so long and we are not seeing other/wider reports of the issue I will close it as stale. However, if you are still experiencing this issue let us know and we can open it up again no problem.

KevinBrolly avatar Jan 17 '24 10:01 KevinBrolly