From b493bc4f67681efd476b7e6229d5891069f86d5e Mon Sep 17 00:00:00 2001
From: Maharshi Patel <102695974+Maharshi2403@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:06:33 -0400
Subject: [PATCH] fix(realtime): prevent empty Authorization header in REST
 fallback

- Avoid sending empty Authorization header when no session exists
- Use global.headers.Authorization or supabaseKey as fallback
- Fixes 500 error on /realtime/v1/api/broadcast
- Closes #38820
---
 src/SupabaseClient.ts | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/SupabaseClient.ts b/src/SupabaseClient.ts
index 3acd10edf..9b587f4c4 100644
--- a/src/SupabaseClient.ts
+++ b/src/SupabaseClient.ts
@@ -301,10 +301,21 @@ export default class SupabaseClient<
     if (this.accessToken) {
       return await this.accessToken()
     }
-
+  
     const { data } = await this.auth.getSession()
-
-    return data.session?.access_token ?? this.supabaseKey
+  
+    // If no session exists, check for global Authorization header or fall back to supabaseKey
+    if (!data.session?.access_token) {
+      // Prefer global.headers.Authorization if explicitly set
+      const authHeader = this.headers['Authorization'] || this.headers['authorization']
+      if (authHeader) {
+        return authHeader.startsWith('Bearer ') ? authHeader.replace('Bearer ', '') : authHeader
+      }
+      // Otherwise, use supabaseKey (service role key)
+      return this.supabaseKey
+    }
+  
+    return data.session.access_token
   }
 
   private _initSupabaseAuthClient(