Request header field User-Api-Key is not allowed by Access-Control-Allow-Headers


(Davide Porrovecchio) #1

I get this error message when trying to use User API key as described in User API keys specification.
I think User-Api-Key and User-Api-Client-Id should be added to Access-Control-Allow-Headers header as defined in discourse/004-message_bus.rb at master · discourse/discourse · GitHub.

Here is a PR that fixes this little bug.


Request header field Content-Type is not allowed by Access-Control-Allow-Headers
(Jeff Atwood) #2

Hmm @sam would need to peek at this.


(Sam Saffron) #3

Hmmm, can you explain how you are consuming the user API, I am not against adding this, just would like some clarification here.


(Davide Porrovecchio) #4

I’m trying to post comments to my Discourse instance from another web application using user api keys. I managed to get the user key following the method described in your original topic and this other useful discussion.
After getting the key, when I send it along with my requests as a value of the User-Api-Key header, I get the Request header field User-Api-Key is not allowed by Access-Control-Allow-Headers error.
As I asked in my PR, I’m not sure if it’s enough to add the headers in the file config/initializers/004-message_bus.rb or we need to add them also in the file discourse/config/initializers/008-rack-cors.rb.


(Sam Saffron) #5

For comment posting it would be rack cors, message bus would only impact subscribing to the bus.


(Davide Porrovecchio) #6

Ok, thank you for your explanation. I updated my PR accordingly.


(Sam Saffron) #7

This is now merged in, thanks!


(Sam Saffron) #8

This topic was automatically closed after 29 hours. New replies are no longer allowed.