From 1dc33e81f0f085bba4cd6352cd1396fc5abcfde3 Mon Sep 17 00:00:00 2001
From: Louis <la.programmations@gmail.com>
Date: Mon, 11 Aug 2025 21:41:33 +0200
Subject: [PATCH] fix: make Authorization header check case-insensitive

- Fix issue #1043 where custom Authorization headers were checked case-sensitively
- HTTP headers should be case-insensitive according to RFC standards
- Replace exact key match with case-insensitive check using Object.keys().some()
- This allows headers like 'authorization', 'Authorization', 'AUTHORIZATION' to work correctly
---
 src/SupabaseClient.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/SupabaseClient.ts b/src/SupabaseClient.ts
index ca5733cd..d54fadd8 100644
--- a/src/SupabaseClient.ts
+++ b/src/SupabaseClient.ts
@@ -315,7 +315,9 @@ export default class SupabaseClient<
       fetch,
       // auth checks if there is a custom authorizaiton header using this flag
       // so it knows whether to return an error when getUser is called with no session
-      hasCustomAuthorizationHeader: 'Authorization' in this.headers,
+      hasCustomAuthorizationHeader: Object.keys(this.headers).some(
+        (key) => key.toLowerCase() === 'authorization'
+      ),
     })
   }