This would be a good answer for me except that I cannot get header based auth to work so I am attempting to do it with forms and am also getting CSRF. Any solution? I am trying to create a new topic using the API.

We will need more information to be able to help. Can you share a code snippet showing how you are trying to use the header based authentication?

The problem I’ve been having stems mostly from whenever I try to make a call with header based auth, the accepted headers are always “User-Api-Key” and “User-Client-Id” instead of “Api-Key” and “Api-Username” so I get CORS errors. I do not believe I need user based keys. I am just trying to do a s…

[Bild] Improve BAD CSRF error message when making API calls with content-type application/json the accepted headers are always “User-Api-Key” and “User-Client-Id” instead of “Api-Key” and “Api-Username” user-api-key and user-client-id are a completely different method of authentication. Regula…

I get a CORS error because the server is expecting User-Api-Key. I examine the expected headers in the OPTIONS response and that is what it says. There is a similar topic elsewhere on this forum where a user was experiencing this when calling from a javascript app.

Oh, so you are trying to make this request from a client-side javascript application? That is not permitted for numerous reasons. For example, if you include an admin API key in the source code of your javascript app, any user could gain full admin access to your forum. Here is a previous topic on t…

Yes that is what I am trying to do. That should be more clearly documented. That has been my whole strategy since getting started with Discourse. I appreciate your help. Been battling with this for days and reading the documentation. Will have to rethink my whole approach as I am currently buil…

This isn’t a restriction specific to Discourse - in general it is a bad idea to include admin credentials in the source code of a website. If you can make the Discourse API call from your node.js server, that would probably be the best solution. If you need your application to be purely client-side…

Frankly accessing APIs from client applications with CORS enabled is extremely common and standard. I can’t believe there is not a more secure way of doing this. An entire industry revolves around hosted APIs that are accessed from different domains. As for accessing with user api, I’ve seen how …

I think I’m in a similar position. A bit about the use case: I use Discourse as a backend and I build the frontend in VueJS. I intend to use the rest api alone. For each user in our platform I’ve created a user api key and I use both headers (Api-Key & Api-Username) for authentication. Each user …

@david can’t Discourse simply have the server sign a session secret with an HMAC, and this session secret in turn can be used to sign stuff in the given session? If it stolen, then presumably the session cookie or CSRF nonce wouldn’t also be. It is a bit like a certificate chain - you don’t have to …

CORS-Fehler beim Zugriff auf API aus JavaScript-Anwendung

Entwickler

david (David Taylor) 17. September 2019 um 13:09 4

[quote=“tdekoekkoek, Beitrag:8, Thema:117136”]
Die akzeptierten Header sind immer „User-Api-Key

Thema		Antworten	Aufrufe
API CORS Headers Incorrect Support	10	3058	6. Juli 2020
Acess-Control-Allow-Headers CORS Error with API after updating discourse Support	9	3290	22. Juli 2020
Having issue accessing the Discourse APIs from react app Development rest-api	6	915	10. April 2023
Authenticating using API keys when accessing API through fetch Development rest-api	4	1497	28. November 2019
Getting an error while trying to fetch individual posts General	1	909	14. April 2022

CORS-Fehler beim Zugriff auf API aus JavaScript-Anwendung

Verwandte Themen