fix: replace auth header for backwards compatibility (#4206)

sweatybridge · web-flow · commit d81798fa1866 · 2025-09-25T18:18:27.000+08:00
diff --git a/internal/start/start.go b/internal/start/start.go
@@ -349,9 +349,14 @@ EOF
 			ApiHost:       utils.Config.Hostname,
 			ApiPort:       utils.Config.Api.Port,
 			BearerToken: fmt.Sprintf(
-				// Pass down apikey as Authorization header for backwards compatibility with legacy JWT.
-				// If Authorization header is already set, Kong simply skips evaluating this Lua script.
-				`$((function() return (headers.apikey == '%s' and 'Bearer %s') or (headers.apikey == '%s' and 'Bearer %s') or headers.apikey end)())`,
+				// If Authorization header is set to a self-minted JWT, we want to pass it down.
+				// Legacy supabase-js may set Authorization header to Bearer <apikey>. We must remove it
+				// to avoid failing JWT validation.
+				// If Authorization header is missing, we want to match against apikey header to set the
+				// default JWT for downstream services.
+				// Finally, the apikey header may be set to a legacy JWT. In that case, we want to copy
+				// it to Authorization header for backwards compatibility.
+				`$((function() return (headers.authorization ~= nil and headers.authorization:sub(1, 10) ~= 'Bearer sb_' and headers.authorization) or (headers.apikey == '%s' and 'Bearer %s') or (headers.apikey == '%s' and 'Bearer %s') or headers.apikey end)())`,
 				utils.Config.Auth.SecretKey.Value,
 				utils.Config.Auth.ServiceRoleKey.Value,
 				utils.Config.Auth.PublishableKey.Value,
diff --git a/internal/start/templates/kong.yml b/internal/start/templates/kong.yml
@@ -12,7 +12,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: auth-v1-open-callback
@@ -27,7 +27,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: auth-v1-open-authorize
@@ -42,7 +42,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: auth-v1
@@ -57,7 +57,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: rest-v1
@@ -72,7 +72,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: rest-admin-v1
@@ -87,7 +87,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: graphql-v1
@@ -105,6 +105,8 @@ services:
           add:
             headers:
               - "Content-Profile: graphql_public"
+          replace:
+            headers:
               - "Authorization: {{ .BearerToken }}"
   - name: realtime-v1-ws
     _comment: "Realtime: /realtime/v1/* -> ws://realtime:4000/socket/websocket"
@@ -119,7 +121,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: realtime-v1-longpoll
@@ -135,7 +137,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: realtime-v1-rest
@@ -151,7 +153,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: storage-v1
@@ -166,7 +168,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: pg-meta
@@ -192,7 +194,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: analytics-v1
@@ -207,7 +209,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: pooler-v2-ws
@@ -223,7 +225,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: mcp
