fix: support both Authorization and authentication headers for API key auth #89

supabase/functions/_shared/internal-api-key-auth.ts

@@ -30,10 +30,17 @@ export interface RateLimitResult {
 }
 
 /**
- * Extract internal API key from Authorization header
+ * Extract internal API key from Authorization or authentication header
+ * Supports both standard "Authorization" and non-standard "authentication" headers
  */
 export function extractInternalApiKey(request: Request): string | null {
-  const authHeader = request.headers.get("Authorization");
+  // Try standard Authorization header first
+  let authHeader = request.headers.get("Authorization");
+
+  // Fall back to lowercase "authentication" header (used by some clients like VAPI)
+  if (!authHeader) {
+    authHeader = request.headers.get("authentication");
+  }
 
   if (!authHeader) {
     return null;

supabase/functions/query-shoprenter/index.ts

@@ -29,7 +29,7 @@ import {
 
 const corsHeaders = {
   'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+  'Access-Control-Allow-Headers': 'authorization, authentication, x-client-info, apikey, content-type',
   'Access-Control-Allow-Methods': 'POST, OPTIONS'
 };