Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

We were discussing this in <#871166066871636024> and it might be a good idea to provide an allowed origins option in the dashboard, perhaps passed in via a docker container env variable.

Current behaviour: 
 - The CORS handler (https://github.com/supabase/gotrue/blob/master/api/api.go#L200) doesn't specify an AllowedOrigins parameter (as per https://github.com/rs/cors#parameters), so it appears that all origins are allowed as the default value if not specified is `*`

Ideal behavior:
 - If allowed origin option is specified (dashboard or env), CORS behaviour will limit requests only for those specific origins, otherwise, all origins will be allowed

Issue tracking: https://github.com/supabase/gotrue/issues/175