search

PostgREST / postgrest

REST API for any Postgres database
https://postgrest.org
MIT License
22.65k stars 1k forks source link

needed control over CORS allowed headers #3551

Open fusionbeam opened 1 month ago

fusionbeam commented 1 month ago

Environment

Description of issue

I am trying to add a custom header (x-app-id) to postgrest requests. My intention is to use the value of this header in RLS policies. I noticed PostGREST has no way to add this header to the list of allowed headers: Access-Control-Allow-Headers

Would you consider supporting controlling the allowed headers via a configuration parameter similar to server-cors-allowed-origins ? It would be something like: server-cors-allowed-headers="Authorization, Content-Type, Accept, Accept-Language, Content-Language, X-App" or to just configure the extra headers: server-cors-allowed-headers="X-App"

Thank you, Ra

laurenceisla commented 1 month ago

For PostgREST to return Access-Control-Allow-Headers you'll need to add the header Access-Control-Request-Headers in the CORS pre-flight request. It will include the header that you specify there in the list of allowed headers by default. For example:

curl -X OPTIONS "http://localhost:3000/todos" \
        -H "Access-Control-Request-Method: GET" \
        -H "Access-Control-Request-Headers: X-App-Id" \
        -H "Origin: http://www.example.com" -i
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 22 May 2024 18:12:48 GMT
Server: postgrest/12.1 (b6c6f2b)
X-Request:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Headers: Authorization, X-App-Id, Accept, Accept-Language, Content-Language
Access-Control-Max-Age: 86400

AFAIK the browser adds Access-Control-Request-Headers to the pre-flight, when specifying headers in a fetch(), for instance.