Request header field User-Api-Key is not allowed by Access-Control-Allow-Headers

I get this error message when trying to use User API key as described in User API keys specification.
I think User-Api-Key and User-Api-Client-Id should be added to Access-Control-Allow-Headers header as defined in https://github.com/discourse/discourse/blob/master/config/initializers/004-message_bus.rb#L18.

Here is a PR that fixes this little bug.

Hmm @sam would need to peek at this.

Hmmm, can you explain how you are consuming the user API, I am not against adding this, just would like some clarification here.

2 Likes

I’m trying to post comments to my Discourse instance from another web application using user api keys. I managed to get the user key following the method described in your original topic and this other useful discussion.
After getting the key, when I send it along with my requests as a value of the User-Api-Key header, I get the Request header field User-Api-Key is not allowed by Access-Control-Allow-Headers error.
As I asked in my PR, I’m not sure if it’s enough to add the headers in the file config/initializers/004-message_bus.rb or we need to add them also in the file discourse/config/initializers/008-rack-cors.rb.

3 Likes

For comment posting it would be rack cors, message bus would only impact subscribing to the bus.

3 Likes

Ok, thank you for your explanation. I updated my PR accordingly.

1 Like

This is now merged in, thanks!

2 Likes

This topic was automatically closed after 29 hours. New replies are no longer allowed.