Silly question... DB webhook auth headers?
Warning: stupidity follows!
A while ago I built an API Gateway endpoint that sends messages to an SQS queue that are eventually processed by a Lambda. I have a Supabase DB webhook set up to call this endpoint on inserts.
My API gateway uses an authorizer lambda which checks for an
authorizationToken in the event, then I validate it. My problem is... I cannot figure out where the hell this token is coming from anymore!
The flow is DB insert -> supabase webhook fires a POST to my api gateway -> api request is verified with my authorizer lambda -> message goes to SQS queue -> final processing lambda consumes the message.
The only thing I can think of is that I must have set the Supabase webhook to send an authorization header with the request, but I don't see that in the UI anywhere at all. I only see one single HTTP header (content type) and no parameters. The next step after Supabase sends the POST request is my authorizer lambda, so no clue where else the auth token would come from.
Did this used to be a feature or something? Is the header hidden automatically because it contained sensitive data? I feel like I'm going crazy lol - thanks in advance!
28 Replies
Click add a new header
i don't need a new header, this setup has been working for over a year, i'm just trying to find the alleged missing auth header 😛
There should be no extra header if you did not set one.
i verified the authorizer lambda is expecting a header from api requests
so supabase must be sending the header, e.g. i must have set it up a long time ago.
why is it not showing in the UI?
Did you code your own trigger function with pg_net or http.
If you used an http webhook there are only hardcoded headers.
Supabase uses the authorization header from the clients with 'bearer access_token/jwt' for it's own REST API requests.
Maybe you created your own webhook without the UI?
https://supabase.com/docs/guides/database/webhooks#creating-a-webhook
You could add a header in that method but you would not have user jwt to add. That is not available inside postgres code. You could add service_role or anon jwts, but that is same has hardcoding.
that's fine - i don't need jwt, it's just a static "api key" basically
i don't think i would have created it in sql... very confusing haha
You could have hard coded api key value in the header options.
It would just be authorization header with a value of 'bearer apikey'.
right, that's what i was expecting to see. but it's not in the list of headers for that webhook
Maybe a bug that it does not show them after? Let me see if I can check
i only see the content-type header
as a sanity-check i just inserted a new row and the API call was made succesfully, meaning something sent the auth header to api gateway
i wonder if it was hidden from the UI because the header was 'authorization' or something? undocument securtiy feature ha
thanks!
Nope...
ahhh that's it!
i just made a new webhook, put in an authorizaiton header, saved, closed, re-opened... it's gone
odd
oh strange, did you save & re-open that one with the new header?
I've hardfreshed browser. And the authorization header is there. It is a webhook to a dummy url I just added. adding the header and hardcoding bearer jwt text.
Firefox browser.
interesting
i'm on safari, looks lke across 2 different supabase projects, the auth header is hidden from the settings in the UI
the only difference i can see is i used
Authorization with a capital AI'll check that
and input a string that could maybe have been idenitifed as a "token"
edit after a webhook created.
that's so strange
I don't have safari except on phone and will not be attempting that.
haha understandable
i just checked chrome, same behavior
mystery solved, i guess, but still strange!
thank you for your help 🙂
this explains it: https://github.com/supabase/supabase/blob/031c5644e7d6d3068206e7ce4ab6905f1634af20/apps/studio/components/interfaces/Database/Hooks/FormContents.tsx#L105
looks like there are some conditionals based on jwt verification for this to apply
GitHub
supabase/apps/studio/components/interfaces/Database/Hooks/FormConte...
The Postgres development platform. Supabase gives you a dedicated Postgres database to build your web, mobile, and AI applications. - supabase/supabase
Too late for me to dig in.
I'll check in tomorrow and see where you are at.
i created an issue for docs update: https://github.com/supabase/supabase/issues/38839
will try to create a PR if i have time tomororw!
GitHub
Hiding Authorization headers on DB webhooks is undocumented · Issu...
Improve documentation Link Primary docs: https://supabase.com/docs/guides/database/webhooks#creating-a-webhook Also maybe inline docs for the webhook edit UI Describe the problem Supabase UI hides ...
looks like this is a deeper issue, and potentially by design(?)...
auth headers are not only hidden from the client - they are removed from the list of headers, such that if you open the edit panel, change nothing, then "save", it will delete the previously-added header.
created a new issue here, happy to submit a PR but will wait for feedback in case this is by design - https://github.com/supabase/supabase/issues/38848
GitHub
Authorization headers are removed from DB webhooks · Issue #3884...Bug report I confirm this is a bug with Supabase, not with my own application. I confirm I have searched the Docs, GitHub Discussions, and Discord. Describe the bug Authorization-type HTTP headers ...