Postgrest Client session is not the same as Supabase Client instance one

[xiaoland]

Bug report

Describe the bug

I have a supabase client created in middleware which uses the user's access token, and a service role key supabase client created at the FastAPI app initializing.

However, I found out the header Authorization in these two supabase client's Postgres client session's content is the same!

For service role key supabase client:

For request client:

So the service role key cannot bypass the RLS, I'm really confused with it. Shouldn't every supabase client request supabase using its own session?

To Reproduce

1. init a supabase client with create_client(url, serv_key)
2. init another supabase client with create_client(url, anon_key)
3. anon_client.auth.set_session(access_token)
   • access_token is the jwt of an authenticated user
4. send PostgreSQL op using supabase serv client (if you set RLS, you will find it failed to update)

Expected behavior

Every client should be completely independent.

System information

• OS: Windows10
• Supabase-Py: 2.5.0

😉 Hope for your reply, sincere appreciation to your work!

[xiaoland]

might be a false positive

[xiaoland]

The reason is:

I share them the same ClientOptions ... I check the source and found out it has significant effect on headers