I upgrade discourse yesterday and I get all the API callbacks with error I have found that the problem is the autentications headers (1) but I trying with some calls and I get this error:
Access to XMLHttpRequest at 'https://mydomain.com/notifications.json?username=admin' from origin 'https://mydomain.com' has been blocked by CORS policy: Request header field api-username is not allowed by Access-Control-Allow-Headers in preflight response.
I using Vue and I have added the api-key and api-username to the heades like this:
You are putting your system API key in client side code?
This means that anyone can grab it from your Javascript code and use it to completely own your forum.
Any Ajax HTTP requests to Discourse should be leveraging an existing session, or not be needing a session at all.
In my case I have SSO with a frontend app in javascript, Could I consuming the API without using the authorization UI for every user? I would like a way that a could use de api-username … is that possible?