search

supabase / edge-runtime

A server based on Deno runtime, capable of running JavaScript, TypeScript, and WASM services.
MIT License
673 stars 62 forks source link

Set CORS headers for Edge Functions 401 response #213

Open acurrieclark opened 1 year ago

acurrieclark commented 1 year ago

Bug report

Originally posted in the main supabase repo, but reposting here as it seems to have regressed.

Describe the bug

When attempting to call an edge function with a bad token, the function rightly issues a 401 response. However, while CORS headers appear to be set for the preflight OPTIONS request, they are not for the subsequent POST request, resulting in the browser seeing a failed fetch rather than the 401 response.

Please note that this is not to do with setting cors headers within the function, as with a bad token the function code is never reached.

To Reproduce

fetch(
    import.meta.env.SUPABASE_FUNCTION_URL,
  {
    method: "POST",
    headers: {
      Authorization: "Bearer bad-token",
      "Content-Type": "application/json",
    },
  }
)
  .then((res) => {
    console.log(res);
  })
  .catch((error) => {
    console.log(error);
  });

When CORS is enabled in the browser, an error is caught. With CORS disabled (in the browser), the response is properly logged.

Expected behavior

The response should have appropriate CORS headers set.

System information

acurrieclark commented 1 year ago

I have just done some further testing, and can verify that this does not occur in a production supabase function.

sweatybridge commented 11 months ago

Transferring to edge runtime repo. Not sure if this is still reproducible now that we have switched out of deno container completely.