Holy shit, confirmed that’s the issue on my end. Turning that extension ON and OFF to see if it makes a difference, and yea it does. Didn’t expect that…

@dcruz1990 You say this is in Chrome. Do you by chance have this extension installed (or one similar) https://chrome.google.com/webstore/detail/allow-cors-access-control/lhobafahddgcelffkeicbaginigeejlf

I recalled a discussion in discord where the user mentioned patch not working, and resolved by removing their cors “allower” extension (they did not mention the actual extension though).

Note by default that extension does not do patch and I believe also returns the requester website (versus *) to allow faking out the browser.

Edit: I loaded that extension and get these headers for a SB network call with it on: access-control-allow-methods: GET, PUT, POST, DELETE, HEAD, OPTIONS access-control-allow-origin: mytestsite.com And this with it off: access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS,TRACE,CONNECT access-control-allow-origin: *

@kiwicopple here is the app preview

As you can see, im doing a post request but inside it im doing a PATCH and it fails, from localhost and from Ionic Dashboard origin.

@Flambe maybe your issue is related to this, i cant figure out how to fix it.

Privileges seem fine. Hm, there must be something else changing the cors headers.

@dcruz1990 Share your project ref to support@supabase.io

@dcruz1990 I think there’s another page missing there, the anon and authenticated(usename column) privileges on the table would help to clarify things.

Just to clarify, the REST API does set the Access-Control-Allow-Methods:

https://github.com/PostgREST/postgrest/blob/7589102c6cd86598eed9bae84801823af7a10d78/test/spec/Feature/CorsSpec.hs#L23-L28

It always sets PATCH as showed in the above test.

There is something weird going on. Supabase sets the Access-Control-Allow-Origin header to be * and not https://q3c…appflowapp.co. Do you know if there is a proxy in between which is altering these headers?

@dcruz1990 in the link you posted, I do see that the CORS headers are being sent correctly. Is this happening only on an actual mobile device running an ionic app?

@Flambe that seems to be a different issue on our Supabase Studio. Can you please create a separate issue for it?

Hi. Any update on the fix or workaround here? Currently experiencing the same thing.

Edit: ok, current workaround is by using .upsert instead of .update, which seems to be working just fine

Not sure if it’s related to this issue, but I figured that I’ll post this here if it is.

I’m getting a similar issue when trying to update custom SMTP settings on the /auth/settings page in Supabase where it always sends back 405 { "data": null, "error": { "message": "Method PATCH Not Allowed" } }. This only happens on self-hosted/supabase cli.

Might this be related?