I had integrated Twilio Auth API in my React project i getting
fetch('https://api.authy.com/protected/json/phones/verification/start', {
method: 'POST',
body: JSON.stringify(resObject),
dataType : 'json',
headers: {
'Accept': 'application/json',
'content-type': 'application/json',
'X-Authy-API-Key': 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',
},
})
I am getting this error
Fetch API cannot load https://api.authy.com/protected/json/phones/verification/start. Response for preflight has invalid HTTP status code 401
I Now this is a cross-origin issue but I am not able to fix it
Authy developer evangelist here.
It is a very bad idea to include your Authy API key in the client side of your application. A malicious user could take your API key and use it to abuse your users via the Authy API.
We recommend that you perform your API requests on the server side, so that no-one can get at your API key. If you are using Node.js as a server, there is an Authy Node module to make this nice and easy. There are libraries available for other languages too.
Related
In order to get oData from success factors odata service, I'm trying to setting up a connection between SuccessFactors and SAP BTP by creating a destination as reported in this official guide.
Using postman everything works fine but, once I check the connection of destination previously created, the response received is 401: Unauthorized.
Below the configuration of destination:
Here you can see the properties:
And here the response:
I know that is wrong but, for the sake of curiosity, I've also created a different destination with no authentication. Then directly from code I've developed three nested ajax requests. First provides the assertion, second the user token, third is the one which, leveraging the token, get the odata. Sadly response is always 401: Unauthorized.
Below the code of last ajax request, the other two are good:
// Validate access token
$.ajax({
type: 'GET',
headers: {
"Authorization": "Bearer " + sAccessToken
},
url: '/oauth/validate',
success: function(data){
console.log("Success: ", data);
},
error: function(e){
console.log(e);
}
});
Here the request header:
So not sure how your flow really is. Normaly you would connect to BTP via a SAP Approuter which has a xs-app.json which defines the routes and destinations to use. Then the Approuter would Exchange the internal BTP JWT with a SAML Assertion for Successfactors. If you want to request the authentication infos for yourself via the BTP Destination Service, you have to send a valid BTP JWT to the destination service via the HTTP Header field X-user-token and as a response you would get back a Successfactors OAuth bearer token.
See here
hope it helps
Regards
Mathias
Hi I have build Udemy API that fetches the courses using React and axios. It works fine if the chrome has CORS extension turned on but otherwise it does not fetch the data.
I have already asked a question regarding this issue, please take a moment to read. I have tried all the solutions provided online.. Thanks
Related issue:
Failed to load resource. Origin is not allowed by Access-Control-Allow-Origin
This problem usually related with the backend server, but if you don't have an access to the server so you have two options
First option to use this chrome extension: Allow-Control-Allow-Origin but unfortunately this extension is not available in the other browsers so you need to use
Second option by using online CORS proxy like
https://cors-anywhere.herokuapp.com/http://example.com
http://cors-proxy.htmldriven.com/?url=http://www.htmldriven.com/sample.json
CORS proxy is a free service for developers who need to bypass same-origin policy related to performing standard AJAX requests to 3rd party services.
Here's an example of Axiox call using CORS proxy
const urlProxy = 'https://cors-anywhere.herokuapp.com/http://example.com';
export function post() {
let users = {
username: '',
password: '',
};
return axios({
method:'POST',
url:urlProxy,
data: users, // Delete it if you dont have a data
withCredentials: true, // Delete it if your request doesn't required credentials
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
'Origin': '*',
'Access-Control-Allow-Headers': '*',
'Access-Control-Allow-Origin': '*',
}
})
.then(function (response) {
console.log(response);
})
.catch(function (error) {
console.log(error);
})
}
I added withCredentials() it makes your browser include cookies and authentication headers in your XHR request. If your service depends on any cookie (including session cookies), it will only work with this option set.
There's a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015
Check out this link
Hope this will help you
You can also try using ModHeader extension to add CORS response headers, which supports both Chrome and Firefox (Disclaimer: I am the author), but I think the problem is with your backend. You really need to enable CORS in your backend for this to work properly. Using a proxy will also works, but that is just an extra layer of overhead (there will be small performance penalty, more points of failure, etc.)
Here is Chrome Extention which work perfectly.
Moesif Orign & CORS Changer
Allow CORS: Access-Control-Allow-origin
I'm trying to send POST Ajax request for third party service from my Outlook Add-in, but no matter what I tried I receiving Error: Access is denied, and status 0 (request never hit the server).
Assuming we are running IE9 or 8 behind the outlook I tried old school hacks like https://github.com/MoonScript/jQuery-ajaxTransport-XDomainRequest.
$.ajax({
url: endpoint,
data: JSON.stringify({'1':'2'}),
// headers: {'X-Requested-With': 'XMLHttpRequest'},
contentType: 'text/plain',
type: 'POST',
dataType: 'json',
error: function(xhr, status, error) {
// error
}
}).done(function(data) {
// done
});
Is there is something more I need to implement? Of cause I add my domain to manifest AppDomain property.
Cheers
The following needs to be done to send request to 3rd party service ...
Add the service URI to AppDomain list (you've done it.)
The service MUST have SSL endpoint; "https://your.domain" must be included within of "AppDomain" entry (see above)
The service has to allow CORS requests for your application (hosted Outlook App URI) domain or any domain. This is up to the service creators to allow or disallow client apps connections via Ajax.
As of observation of your code I notices you are sending JSON object, but setting content type to "text/plain". Contact the service creators to get information on what type of the data they accept as request. Usually services allow "application/json", but not plain text.
curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=password&username=<username>&password=<password>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
(from https://docs.wso2.com/display/IS520/Resource+Owner+Password+Credentials+Grant
)
This 'curl' command works perfectly. But when try to call it through ajax:
$.ajax({
type: 'POST',
data: 'grant_type=password&username=admin&password=admin',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic Z0hLUlA3eThYTmJydl9JR1pJemxDQ1VJQlo0YTozT2VLaUlmUVViMk1yZzZ2YU5uQVFsWFpDU29h'
},
url: 'https://localhost:9443/oauth2/token',
success: function(data) {
console.log(data);
}
})
};
I got this error: "XMLHttpRequest cannot load https://localhost:9443/oauth2/token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access."
How can I configure WSO2 IS to deal with it? Or is there an alternetive for this?
There is a similar issue with WSO2 API Manager (WSO2 API Manager CORS). But there is no such directory '/repository/deployment/server/synapse-configs/' in WSO2 IS.
This is the expected behaviour when cross origin resource sharing (CORS) is not enabled on Identity Server. In fact you can enable CORS for Identity Server. Check [1] on how to do it.
[1] http://hasanthipurnima.blogspot.com/2016/05/applying-cors-filter-to-wso2-identity.html
I don't think the Token API of IS returns CORS headers. To get this working, you can front Token API of IS by API Manager. By default, APIM returns CORS headers in all REST APIs you create in it.
In fact, API Manager ships an API (i.e. https://localhost:8243/token) which fronts the token API of IS (i.e. https://localhost:9443/oauth2/token) (note: APIM has certain IS features installed in it). But it does not return CORS headers too. To make it return CORS headers, you should follow that SO link you have mentioned.
Another simple option is, if you only need CORS headers, you can simply front Token API of IS by another custom services which returns CORS headers in the response.
I am testing the jquery ajax calls to the API server from a different domain. Unfortunately I am getting an OPTIONS error. Here is my request code:
$.ajax({
url: "https://localhost:44356/api/Default/",
headers: {
"Authorization": "Bearer " + user.access_token
},
success: function (res) {
logAjaxResult(res);
},
error: function() {
logAjaxResult('Error');
}
}))
Which gives
XMLHttpRequest cannot load https://localhost:44356/api/Default/. Response for preflight has invalid HTTP status code 405.
Normally this is an easy fix - I install Microsoft.AspNet.WebApi.Cors, set up a provider and allow OPTIONS through always. I can see how I would normally do this on the Identity Server box too as there is a CorsProvider you can register up. My issue however is on the API box I am using IdentityServerBearerTokenAuthenticationOptions and I see no CORs options. When I try to set up the WebAPI.cors provider though I get an error saying there are multiple origins set on the server to allow. This indicates to me (correct me if I'm wrong) that the WebApi box has somehow got the CORs settings from my identity server box that is registered as it's authority. Is this right?
How do I configure to allow pre-flight requests with app.UseIdentityServerBearerTokenAuthentication(options)?
Many thanks
This issue was resolved when I found the documentation uses
Microsoft.Owin.Cors
I was using the package
Microsoft.AspNet.WebApi.Cors