I'm using Python's FastAPI to manage the server's API and Axios hooks on my Frontend.
Here's my code snippet that handles details of the CORS policy on the server:
origins = ["http://localhost:3000"]
*****some code here*****
app = FastAPI(
title=settings.PROJECT_NAME,
version="1.0",
docs_url=f"{settings.API_V1_STR}/docs",
openapi_url=f"{settings.API_V1_STR}/openapi.json",
)
app.container = app
app.add_middleware(
CORSMiddleware,
allow_origins=origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
app.include_router(api_router, prefix=settings.API_V1_STR)
Here's the relevant hook that I'm using on the Frontend via Axios-hooks axios-hooks docs:
const [
{
response: marketResponse,
loading: marketLoading,
error: marketError,
},
] = useAxios({
url: serverURL("market/list"),
method: "GET",
});
It's important to note that I've double checked the allowed origin.
The issue:
As my web app requests the list via above mentioned axios hoook, the following error appears:
Frontend HTTP Error
Here's the Network Tab's Header Info:
Network's Header Info
As you'll notice Access-Control-Allow-Origin appears there 2x! Once in capped init letter and 2nd time in all lower case. I figured the issue somehow stems from this headers. Unfortunatelly can't find a particular way to fix it.
Thanks for any kind of help!
Googled multiple similiar issues and studied both Axios & Fast Api docs. Unfortunately couldn't find even a slight hint of solution.
The issue
This is actually a known issue with the Starlette CORSMiddleware.
So the issue is that Starlette CORSMiddleware adds the origin header without checking if it already exists. That is by design.
FastAPI is wrapping this module.
If you take a look at the actual Starlette code you will see that it is going to this line.
This explains the upper case version of Access-Control-Allow-Origin.
So why is this happening?
Multiple servers are running. A known issue is if you are using python-socketio then the socketio will add its own version of the header.
I noticed this line:
app.container = app
What is the reason for this? Can you try to comment it out and rerun the code?
Else check if your NGINX is setting CORS.
Related
I have a Next JS app connected to a CMS and hosted on Vercel - all links are dynamic and the pages are created by the content authors.
I am trying to create dynamic redirects that will force URLs to adhere to formats that are better for SEO. For example:
Enforce lowercase URLs
Replace spaces with dashes
Remove trailing slashes
For example, /test/Author Name/ would redirect to /test/author-name
Since I need to trigger a 301 redirect for these wrong URLs, the only way to do this with Next JS from what I have found is to return a Redirect from getStaticProps, this is what I have so far:
export const getStaticProps: GetStaticProps = async (context) => {
let requestedUrl = '/';
if (context?.params?.path) {
requestedUrl = '/' + (context?.params?.path as string[]).join('/');
}
//check for URLs with uppercases, spaces, etc. and clean them up
let modifiedUrl = requestedUrl;
modifiedUrl = modifiedUrl.trim().toLowerCase().replace(/\s\s+/g, ' ').replace(/\s/g, '-');
if (modifiedUrl != requestedUrl) {
return {
redirect: {
destination: modifiedUrl,
permanent: true,
},
};
}
This works wonderfully well running locally and connected to the CMS - everything is working as it should and all "faulty" URLs are corrected with the correct response code.
Sadly, this does not work on build, I have spent so much time so far trying to find an alternative, but no matter what I do, the build on Vercel fails with the error:
"redirect" can not be returned from getStaticProps during prerendering
The next best potential solution is to use Middleware, but that requires v.12 at least. Due to limitations from the CMS connector, we are forced to use Node v.11 :(
The alternative that I have built is to use router.push on the client side, but this... just looks terrible. The page loads, returns a 200, and then loads again with the corrected URL. Not good for the user's experience.
Any advice or suggestions? I am baffled that something this simple is this complicated with Next JS!
I resolved the issue... it looks like redirects on statically generated pages are not possible unfortunately. I removed getStaticProps and getStaticPaths, and added getServerSideProps instead. The redirects are now working correctly, but the site is not as fast as we are losing out on SSG.
We have a FastApi application that is hosted behind a reverse proxy.
The proxy authenticates the user using Kerberos and adds a X-Remote-User HTTP header to the request.
This header is required by the FastApi application. Here is an example route:
#app.get("/user/me")
async def get_user_me(x_remote_user: str = Header(...)):
return {"User": x_remote_user}
The X-Remote-User header is required for the request which is expected behavior.
When we now open the Swagger Ui, the header is documented and when clicking on "Try it out", we can provide the header value.
This behavior is great for development, but in all other cases it is undesired, because that header is provided by the reverse proxy. For instance, we generate clients using OpenAPI Generator and the clients then all require the X-Remote-User parameter in their requests.
Hence, it would be useful to have a configuration that distinguishes between the environments. If we are behind a reverse proxy, then the generated OpenAPI Schema by FastApi should not include the X-Remote-Header, otherwise if we are in development, it should be included.
What I did so far:
I checked the documentation about security and also some source code of these modules, but I was not able to find a solution.
In the documentation, I read the section Behind a Proxy, but nothing there points me to a potential solution.
I also read about Middleware, but again, no solution.
We could change the generated OpenApi schema. I sketched this in my answer below, but this is not a very elegant solution
Does anyone have a good solution to this problem?
We can use APIKeyHeader to remove the X-Remote-User header from the API signature, but still enforcing the header to be present.
from fastapi.security import APIKeyHeader
apiKey = APIKeyHeader(name="X-Remote-User")
#app.get("/user/me")
async def get_user_me(x_remote_user: str = Depends(apiKey)):
return {"User": x_remote_user}
When the header is not present, we get a "403 Forbidden". If it is present, we retrieve the header value.
The Swagger UI now has a button "Authorize" where we can fill-in the value of the X-Remote-User for testing purposes.
One approach is to generate the OpenApi schema as described in the documentation Extending OpenAPI. After the generation, remove the X-Remote-User from the schema. In the configuration could be a flag that the application it is behind a reverse proxy to execute the code conditionally:
from fastapi import FastAPI
from fastapi.openapi.utils import get_openapi
from MyConfig import Config
app = FastAPI()
#app.get("/items/")
async def read_items():
return [{"name": "Foo"}]
if Config.reverse_proxy:
def custom_openapi():
if app.openapi_schema:
return app.openapi_schema
openapi_schema = get_openapi(
title="Custom title",
version="2.5.0",
description="This is a very custom OpenAPI schema",
routes=app.routes,
)
// remove X-Remote-User here
app.openapi_schema = openapi_schema
return app.openapi_schema
app.openapi = custom_openapi
However this is not a very elegant solution, as we need to parse the Json string and remove the different deeply-nested occurrences of the X-Remote-User header everywhere. This is prone to bugs resulting in an invalid schema. Furthermore it could break if new Rest endpoints are added.
A new param will be soon available for Header, Query and other to exclude elements from the openAPI output: include_in_schema=False
Example:
def test(x_forwarded_for: str = Header(None, include_in_schema=False)):
...
Here the patch state: https://github.com/tiangolo/fastapi/pull/3144
ive been struggeling for awhile with this,
so i got two questions to ask.
First question:i cant change the profile on open route service.
my code is working when i put in the api-key in the code below.
var control;
function tests() {
var control = L.Routing.control({
waypoints: [
L.latLng(coords),
L.latLng(coords2)
],
router: new L.Routing.openrouteservice('Api-Key'),
}).addTo(map);
document.getElementById("RouteButton").onclick = tests;
};
But when i try changing the profile, it either doesnt change or get error messages.
The things i tried so far is.
router: new L.Routing.openrouteservice({api_key:'HIDDEN', profile:'footwalking'),
and
router: new L.Routing.openrouteservice('https:// api.openrouteservice.org /directions? & api_key = Hidden& profile = foot-walking'),
The first one works, but the profile doesnt change It is still using the driving-car default profile.
The Second one gives me a two error messages,
First error message is | Access to XMLHttpRequest at 'https://api.openrouteservice.org/directions?' from origin 'http://localhost:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. |
Second error message | corslite.js:87 GET https://api.openrouteservice.org/directions? 403 (Forbidden) |
both of the error messages gives off a long url which ive shorted down to https://api.openrouteservice.org/directions?.
The other Question i got is, how do i clear the map, so a previously drawn route gets removed when a new route is drawn. On the picture below you can see what happens at the moment when i request a second route, both the old and the new i shown.
two routes on the same map
Hope you guys can help.
open the L.Routing.OpenRouteService.js
i'm facing issue while running rest api service in loadrunner(VUGEN),in soap ui it is working fine.
My Data contains around 10 fields but while request it is breaking one parameter into two then i'm facing internal server error.
Please help and unable to continue in new line in case i want to write it in another line
Code is :
Action()
{
web_custom_request("Calculate",
"URL=http://sdfsdfsdfgsdfgsdfgsdfgsdfgsd/sdfgsdf/sdfgsd",
"Method=POST",
"Resource=0",
"EncType=application/json",
"Mode=HTTP",
"Body={\"program\":\"L002\",\"Number\":null,\"serviceNumber\":\"09000\",\"customerStateName\":\"{state}\",\"storeCode\":\"{store}\",\"Amount\":\"{amount}\",\"paymentDetails\":[{\"type\":\"{types}\",\"amount\":{amount}\"}]}",LAST);
return 0;
}
Unable to write it in two lines of code ,in case i'm trying to write then it is giving syntax error like , is missing or " is missing.Unable to write please any one help.
Response coming as:
{"program":"L002","Number":null,"serviceNumber":"09000","customer
StateName":"MAHARASHTRA","storeCode":"1111","invoiceAmount":"50","paymentDetails":[{"type"
:"CASH","amount":50"}]}
Line is breaking i.e customerStateName into customer,StateName because of this i'm getting Bad Request in Response,Please help.
Since LoadRunner 12.53, you have a new and easier way for making REST API calls, using the web_rest() API. See blog post about it.
I am working with REST in Yii. Therefore I use yiirestful plugin and Backbone.JS. At the moment I am perfectly able to do POST and GET request throughout REST. But when I want to update a record I alway get an 403 forbidden error. I shall explain what i've tried and how:
First of all I am saving my collection in Backbone like this:
Backbone.sync('update', this.collection);
Now I don't for sure if that's going to work but the fact is that any PUT request get's an 403.
Secondly, because I am working in a module I adjusted the URLmanager rules like this:
'contentManagement/api/<controller:\w+>'=>array('contentManagement/<controller>/restList', 'verb'=>'GET'),
'api/<controller:\w+>'=>array('<controller>/restList', 'verb'=>'GET'),
'api/<controller:\w+>/<id:\w+>'=>array('<controller>/restView', 'verb'=>'GET'),
'api/<controller:\w+>/<id:\w+>/<var:\w+>'=>array('<controller>/restView', 'verb'=>'GET'),
array('contentManagement/<controller>/restCreate', 'pattern'=>'contentManagement/api/<controller:\w+>', 'verb'=>'POST'),
array('<controller>/restUpdate', 'pattern'=>'contentManagement/api/<controller:\w+>/<id:\d+>', 'verb'=>'PUT'),
array('<controller>/restUpdate', 'pattern'=>'contentManagement/api/<controller:\w+>/<id:\d+>', 'verb'=>'PUT'),
array('<controller>/restDelete', 'pattern'=>'api/<controller:\w+>/<id:\d+>', 'verb'=>'DELETE'),
array('<controller>/restCreate', 'pattern'=>'contentManagement/api/<controller:\w+>', 'verb'=>'POST'),
array('<controller>/restCreate', 'pattern'=>'contentManagement/api/<controller:\w+>/<id:\w+>', 'verb'=>'POST'),
It could be the case that this causes the problem. But I am not very digged in to this rules.. I did the same as i did by the POST request but whatever I try it still gives the 403.
Thirdly i'll provide my request information:
PUT http://pimtest.php/Yii/trackstar/contentManagement/api/SidebarWidgetsUsed/
403 Forbidden
38ms
I think a id is needed after this url but when I provide an id in the data that should be enough to let backbone recognize it's about an PUT request / update request.
I have no clue where to look further in my code.. I understand it's a complicated story so any minimal advice is appreciated!
Greetz,
You have two (identical) rules that apply to PUT, and as you say, they require an ID. Without an ID, none of the rules will match for a PUT request.
Either provide an ID, or modify the rule to not require an id, e.g.:
array('<controller>/restUpdate', 'pattern'=>'contentManagement/api/<controller:\w+>', 'verb'=>'PUT'),
In any case, as you're not using id, I'm not sure why it's in the rule to start?