S
Supabase4w ago
Emil

403 when invoking sb edge function from vercel function

Hi, I am build a vercel function to redirect users. The final url is beeing processed based on data from a supabase table. In order to access that table, i wrote a simple edge function on supabase which basically takes an id and returns a "matching" string. The problem is that, when invoking this function from the vercel function, i get an 403 from supabase. When i invoke the function in my frontend though (where I am a logged in user), it works. I've already tried calling it with anon and service role keys and set the verify_jwt to false, but it still doesn't work. Any ideas on how to solve this? This is how i invoke, the client is build with the anon key from my supabase: 
const { data, error } = await supabase.functions.invoke(
    "admin/getCustomerUrlFromIdent",
    {
        body: { ident: deviceIdent },
    }
);
const { data, error } = await supabase.functions.invoke(
    "admin/getCustomerUrlFromIdent",
    {
        body: { ident: deviceIdent },
    }
);
Thanks in advance!
11 Replies
ihm40
ihm404w ago
could you double check that the anon/service key matches what is in your supabase. Have you moved over to jwt signing keys recently? is thar code block on the frontend the same as that which you have here?
Emil
EmilOP4w ago
Hey, thanks for the answer. They do match, we are still using using the legacy jwt secret. This is the exact code block.
ihm40
ihm404w ago
is it possible related to a cors issue? If the 403 comes with any text in the logs of the full message that would help
Emil
EmilOP4w ago
it only gives back a "403 Forbidden", but my function itself doesn't return a 403 so supabase itself returns it
ihm40
ihm404w ago
maybe check the supabase logs for that 403 request see if there is more detail there
Emil
EmilOP4w ago
const headers = (origin)=>({ "Access-Control-Allow-Origin": origin, "Access-Control-Allow-Methods": "POST, GET, OPTIONS", "Access-Control-Allow-Headers": "content-Type, authorization, apikey, x-client-info" }); const isOriginAllowed = (origin)=>{ const allowedOriginRegex = /^(https://(([a-z0-9-]+.)*my-website.app|localhost))|(http://(localhost|192.168.\d{1,3}.\d{1,3}):(5173|4173))$/; if (!origin || !allowedOriginRegex.test(origin)) return false; return true; };
ihm40
ihm404w ago
is this supabase function on remote/platform that you are invoking?
Emil
EmilOP4w ago
i'm invoking the supabase function from a vercel function oh i guess it is a cors error, i don't have the vercel url in my allowed origins
ihm40
ihm404w ago
makes sense
Emil
EmilOP4w ago
actually still not working, i solved it now by giving my vercel function a service role key and let it do directly what the supabase function was supposed to do, that works and should be fine securitywise. Thanks for your help anyway!
ihm40
ihm404w ago
no worries and yeah if this is server side then that seems fine

Did you find this page helpful?