Unable to read `x-total-count` pagination header from listUsers() due to CORS restrictions

[JonathanPicques]

Bug report

Using fetch from the browser, we are unable to get the value of the x-total-count header, because it is not whitelisted in the Access-Control-Expose-Headers header in the response

Expected behavior

Access-Control-Expose-Headers : x-total-count x-total-count: 32

[kangmingtay]

Hi @JonathanPicques, we are able to read the value of x-total-count in the js client library which uses the fetch API as well (https://github.com/supabase/gotrue-js/blob/e5708f006379df98dcf2f69dfe10e199d7d30147/src/GoTrueAdminApi.ts#L188). It would be great if you can provide a reproducible example so we can investigate this further.

[JonathanPicques]

@kangmingtay are you in the same domain when trying to read x-total-count ? That would explain why you are able to read this header, this issue is happening when reading from another domain :

fetch("https://REPLACE_ME.supabase.co/auth/v1/admin/users?page=&per_page=1000", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-US,en;q=0.9,fr-FR;q=0.8,fr;q=0.7",
    "apikey": "REPLACE_ME",
    "authorization": "Bearer REPLACE_ME",
    "sec-ch-ua": "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site"
  },
  "referrer": "http://REPLACE_ME/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
}).then(resp => console.log(...resp.headers));

This code will output

['content-type', 'application/json']

Good topic on the issue: https://stackoverflow.com/questions/43344819/reading-response-headers-with-fetch-api

[kangmingtay]

@JonathanPicques interesting, TIL. I've made a fix for it in gotrue here (https://github.com/supabase/gotrue/pull/991) but it will take some time before it's rolled out