The access token is sent as apikey, but from what I see it doesn't need/take authorization at all.
What is the new behavior?
The apikey passed in the default header in realtime client initialization in the supabase package is used. That's the anon apikey and not the user's one.
Additional context
I noticed that it was enough to remove the apikey field in the send method, because the apikey field gets also set in the AuthHttpClient if it's not already set, but I thought it's either way good to add it to the headers directly as well. realtime-js does this as well.
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
The access token is sent as
apikey, but from what I see it doesn't need/take authorization at all.What is the new behavior?
The
apikeypassed in the default header in realtime client initialization in the supabase package is used. That's the anon apikey and not the user's one.Additional context
I noticed that it was enough to remove the apikey field in the send method, because the
apikeyfield gets also set in theAuthHttpClientif it's not already set, but I thought it's either way good to add it to the headers directly as well. realtime-js does this as well.close #867