Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions packages/stack/src/ApiProxy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,23 @@ const CORS_HEADERS: ReadonlyArray<readonly [string, string]> = [

function addCorsHeaders(
response: HttpServerResponse.HttpServerResponse,
requestedHeaders?: string,
): HttpServerResponse.HttpServerResponse {
// On a preflight, echo the requested headers: browser clients evolve
// faster than any static list (supabase-js added x-supabase-api-version;
// PostgREST reads Prefer and the profile headers), and echoing is what
// Kong's cors plugin — the classic CLI's proxy — does when no header
// list is configured. The static list stays as the fallback for
// preflights that name no headers and for non-preflight responses.
return CORS_HEADERS.reduce(
(res, [name, value]) => HttpServerResponse.setHeader(res, name, value),
(res, [name, value]) =>
HttpServerResponse.setHeader(
res,
name,
name === "access-control-allow-headers" && requestedHeaders !== undefined
? requestedHeaders
: value,
),
response,
);
}
Expand Down Expand Up @@ -370,7 +384,10 @@ export class ApiProxy extends Context.Service<
const req = yield* HttpServerRequest.HttpServerRequest;

if (req.method === "OPTIONS") {
return addCorsHeaders(HttpServerResponse.empty({ status: 204 }));
return addCorsHeaders(
HttpServerResponse.empty({ status: 204 }),
req.headers["access-control-request-headers"],
);
}

const response = yield* httpEffect;
Expand Down
27 changes: 27 additions & 0 deletions packages/stack/src/ApiProxy.unit.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,33 @@ describe("ApiProxy", () => {
expect(res.headers.get("access-control-allow-origin")).toBe("*");
});

test("preflight echoes the requested headers", async () => {
// Browser clients evolve faster than any static allow list
// (supabase-js's x-supabase-api-version, PostgREST's Prefer); the
// preflight reflects what was asked for — the same default Kong's cors
// plugin gives the classic CLI's proxy.
const res = await fetch(`${proxyUrl}/rest/v1/users`, {
method: "OPTIONS",
headers: {
"access-control-request-headers": "authorization,prefer,x-supabase-api-version",
},
});
expect(res.status).toBe(204);
expect(res.headers.get("access-control-allow-headers")).toBe(
"authorization,prefer,x-supabase-api-version",
);
});

test("the echo is preflight-only: non-OPTIONS requests keep the static list", async () => {
const res = await fetch(`${proxyUrl}/health`, {
headers: {
"access-control-request-headers": "x-arbitrary-header",
},
});
expect(res.headers.get("access-control-allow-headers")).toContain("apikey");
expect(res.headers.get("access-control-allow-headers")).not.toContain("x-arbitrary-header");
});

// ---------------------------------------------------------------------------
// Auth transformation — publishableKey → anonJwt
// ---------------------------------------------------------------------------
Expand Down