Acess-Control-Allow-Headers CORS Error with API after updating discourse

I upgrade discourse yesterday and I get all the API callbacks with error I have found that the problem is the autentications headers (1) but I trying with some calls and I get this error:

Access to XMLHttpRequest at 'https://mydomain.com/notifications.json?username=admin' from origin 'https://mydomain.com' has been blocked by CORS policy: Request header field api-username is not allowed by Access-Control-Allow-Headers in preflight response.

I using Vue and I have added the api-key and api-username to the heades like this:

Vue.http
        .get(
             "https://discourse.mydomain.com/notifications.json?username="+input.username,
          {
            headers: {
             "Api-Key":"xxxxxxxxxxxxxxxxx",
             "Api-Username": "system",
              "content-type": "application/json",
              accept: "application/json"
            }
          }
        )

(1) Discourse API Documentation

You may need to have CORS setup in your site settings?

Yes, I have added the domain where I call the API in discourse settings, but that error about field api-username, I dont know when I have to resolve.

You are putting your system API key in client side code? :scream:
This means that anyone can grab it from your Javascript code and use it to completely own your forum.

Any Ajax HTTP requests to Discourse should be leveraging an existing session, or not be needing a session at all.

3 Likes

Not just a testing , I am using the username

      Vue.http
    .get(
      "https://discourse.mydomain.com/notifications.json?username="+input.username,
      {
        headers: {
       "Api-Key":"xxxxxxxxxxxxxxxxxxxxxx",
        "Api-Username": input.username    
        }
      }
    )

But I getting the same error with de Cors and the field api-username

1 Like

Let me repeat what I said:

That means: no authentication headers. At all.

1 Like

You really should not be using these API credentials for CORS requests which is why that header field is not allowed.

However we do allow the user-api headers in CORS:

3 Likes

I have read the User API keys specification

In my case I have SSO with a frontend app in javascript, Could I consuming the API without using the authorization UI for every user? I would like a way that a could use de api-username … is that possible?

Regards

could you solve this?
Thank you!

In the end, I went back to the previous version of Discourse so I didn’t have to change all the API integration