needed control over CORS allowed headers

[fusionbeam]

Environment

• PostgreSQL version: 16.3
• PostgREST version: 12.0.2
• Operating system: Ubuntu 22.04 LTS

Description of issue

I am trying to add a custom header (x-app-id) to postgrest requests. My intention is to use the value of this header in RLS policies.
I noticed PostGREST has no way to add this header to the list of allowed headers: Access-Control-Allow-Headers

Would you consider supporting controlling the allowed headers via a configuration parameter similar to server-cors-allowed-origins ?
It would be something like:
server-cors-allowed-headers="Authorization, Content-Type, Accept, Accept-Language, Content-Language, X-App"
or to just configure the extra headers:
server-cors-allowed-headers="X-App"

Thank you,
Ra

[laurenceisla]

For PostgREST to return Access-Control-Allow-Headers you'll need to add the header Access-Control-Request-Headers in the CORS pre-flight request. It will include the header that you specify there in the list of allowed headers by default. For example:

curl -X OPTIONS "http://localhost:3000/todos" \
        -H "Access-Control-Request-Method: GET" \
        -H "Access-Control-Request-Headers: X-App-Id" \
        -H "Origin: http://www.example.com" -i

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 22 May 2024 18:12:48 GMT
Server: postgrest/12.1 (b6c6f2b)
X-Request:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Headers: Authorization, X-App-Id, Accept, Accept-Language, Content-Language
Access-Control-Max-Age: 86400

AFAIK the browser adds Access-Control-Request-Headers to the pre-flight, when specifying headers in a fetch(), for instance.