Acess-Control-Allow-Headers CORS Error with API after updating discourse

pablogg · April 12, 2020, 4:51pm

I upgrade discourse yesterday and I get all the API callbacks with error I have found that the problem is the autentications headers (1) but I trying with some calls and I get this error:

Access to XMLHttpRequest at 'https://mydomain.com/notifications.json?username=admin' from origin 'https://mydomain.com' has been blocked by CORS policy: Request header field api-username is not allowed by Access-Control-Allow-Headers in preflight response.

I using Vue and I have added the api-key and api-username to the heades like this:

Vue.http
        .get(
             "https://discourse.mydomain.com/notifications.json?username="+input.username,
          {
            headers: {
             "Api-Key":"xxxxxxxxxxxxxxxxx",
             "Api-Username": "system",
              "content-type": "application/json",
              accept: "application/json"
            }
          }
        )

(1) Discourse API Documentation

blake · April 12, 2020, 5:29pm

You may need to have CORS setup in your site settings?

pablogg · April 12, 2020, 5:54pm

Yes, I have added the domain where I call the API in discourse settings, but that error about field api-username, I dont know when I have to resolve.

RGJ · April 12, 2020, 6:05pm

You are putting your system API key in client side code?
This means that anyone can grab it from your Javascript code and use it to completely own your forum.

Any Ajax HTTP requests to Discourse should be leveraging an existing session, or not be needing a session at all.

pablogg · April 12, 2020, 6:09pm

Not just a testing , I am using the username

      Vue.http
    .get(
      "https://discourse.mydomain.com/notifications.json?username="+input.username,
      {
        headers: {
       "Api-Key":"xxxxxxxxxxxxxxxxxxxxxx",
        "Api-Username": input.username    
        }
      }
    )

But I getting the same error with de Cors and the field api-username

RGJ · April 12, 2020, 6:09pm

Let me repeat what I said:

That means: no authentication headers. At all.

blake · April 12, 2020, 6:24pm

You really should not be using these API credentials for CORS requests which is why that header field is not allowed.

However we do allow the user-api headers in CORS:

pablogg · April 12, 2020, 7:14pm

I have read the User API keys specification …

In my case I have SSO with a frontend app in javascript, Could I consuming the API without using the authorization UI for every user? I would like a way that a could use de api-username … is that possible?

Regards

federico_lezcano · July 22, 2020, 4:39am

could you solve this?
Thank you!

pablogg · July 22, 2020, 7:27am

In the end, I went back to the previous version of Discourse so I didn’t have to change all the API integration

Topic		Replies	Views
CORS error accessing API from javascript application dev	11	3031	April 9, 2023
API CORS Headers Incorrect support	11	2705	June 8, 2023
Request header field User-Api-Key is not allowed by Access-Control-Allow-Headers bug	7	2342	August 31, 2018
Having issue accessing the Discourse APIs from react app dev rest-api	6	641	April 10, 2023
Getting an error while trying to fetch individual posts General	1	761	April 14, 2022

Acess-Control-Allow-Headers CORS Error with API after updating discourse

Related Topics