I am trying to use the PostMan client to hit a REST API. Using the client, I get a 401. If I take the exact same information and use the PostMan Chrome Extension, I get a 200. Reading the forums, someone mentioned that the REST API needs to have CORS enabled (because PostMan is basically a webapp), but I am a little confused as to how I would do that. On the server side, I have the ability to plug in allowed CORS domains, but if it is coming from my local machine, it doesn't have a domain, right?
Related
The short story: If I hit my endpoint /api/something with a PUT and no body, it goes through to my Lambda (via CF -> API GW -> Lambda). If I add a body to the request, it doesn't work and seems to die before hitting the API Gateway. I'm not sure why it would do this.
The long story:
I've set up a CloudFront distribution that sends requests to /api to our API gateway and all other requests just vend static website resources.
It has been working great so far for our simple use cases. We previously only hit the API Gateway with GET requests, but now we're going to start needing to send PUT or POST requests to the API Gateway. I had to update the CloudFront distribution "behaviors" for the /api path pattern (the one going to the API gateway) to allow all HTTP methods after that, I was able to start getting responses from the API Gateway for PUT and POST responses (previously only worked for GET).
However, I noticed that if I try to send a payload or body with the request (regardless of the request type), I don't think it actually hits the API Gateway or the Lambda that the API Gateway is routing to because I get a response of "You need to enable JavaScript to run this app". I tried looking at the logs but couldn't find anything. The heads shows "Error from cloudfront" but I'm not sure why or where to find what the error was.
Any tips on how to troubleshoot this or what the issue might be?
Update (10/8): I figured out the "enable javascript" thing was coming up because of my custom error pages for 403&404 errors. I deleted them in my development environment and now get a clearer error.
"This distribution is not configured to allow the HTTP request method
that was used for this request. The distribution supports only
cachable requests. We can't connect to the server for this app or
website at this time. There might be too much traffic or a
configuration error. Try again later, or contact the app or website
owner."
However, I still don't know what to do, as the request type (PUT) is enabled and the request works as long as I don't provide a body. Not sure how to get it to be ok with a body at the moment.
Trying to access the API for Shortboxed: https://api.shortboxed.com/ using Visual Studio Code. I saw that on the website there is no way to generate a key, and not completely accustomed to the use of APIs, I ask if there is a way to access the data with just the API domain.
The following images are of my code, most likely this is an error in that.
It depends on the way the API was developed. Many APIs will use authentication/authorization (not the same thing exactly, but grouped together here to keep things simple). This involves the sender of the HTTP request identifying themselves, often by including a client key or token.
You'll know if the API answers unauthenticated or unauthorized requests by calling it. If you get a 2xx response (200, 204, etc) then you were allowed to. If the API's developer sticks to the HTTP spec strictly, they will return a status code like 401 Unauthorized (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400). You can often find this information in the API docs so that you don't have to try things out to figure it out from scratch.
So at this point, it's up to that particular API's public documentation to describe its authentication/authorization to you so you know how you can call it.
I notice you say:
I saw that on the website there is no way to generate a key
So if you've already consulted their documentation and it says that you shouldn't need a key to call the API, but you get a response code like 401, you should contact their support to find out what may be going wrong.
Also worth mentioning that this will work the same no matter the HTTP client. Visual Studio Code, curl, Insomnia, Postman, a web browser (as long as it supports CORS), etc.
Our organization has a data collection on their servers. A soap API has been implemented and the data can be accessed using the WSDL on SOAP UI. I am a front-end developer and when I make a POST request using XMLHttpRequest to get the query result, it throws CORS error: "Response to the preflight request doesn't pass access control". It is NOT possible to enable CORS on the data collection servers. I am using Liferay for the website front end and the back end.
Any suggestions how I can get the query results from the front end without enabling CORS on database servers(this is different than the Liferay backend server)? Or I can use a website backend to interact with the database? Or use third-party services like Kinvey?
I have had similar issues in the past. Like you, I wanted to create a basic webpage on my machine and that contained some Javascript to call an API. With this approach, I got the CORS issue you are seeing.
I then hosted my page on a web-server and I still got the CORS issue.
To resolve, I had to create a web app, which I wrote in Java. This back-end contained its own API. One of the resources in 'my' API was a simple wrapper to call the API of interest. I then modified the webpage I wrote (now all hosted in the same web app), to call my API, which in turn calls the API of interest.
I have an api gateway installed that I'm trying to program against. Requests work when using apps like Postman but when I try to connect through code in the form of XMLHTTPRequests I get 401... No 'Access-Control-Allow-Origin' header is present on the requested resource. saying that the server doesn't allow cross site calls.
Maybe I'm not fully understanding how this works but it seems that apps like Postman circumvent this somehow. Whereas when I'm trying to access the api from a local file in my browser I bump into this problem.
Do I need to host the webpage I'm calling from to get this to work? Or am I missing something else here?
When the browser issues a XMLHTTPRequest, it checks if the origin (i.e. the domain) of that request is allowed by the endpoint to send requests. The check is done by a preflight request, i.e. a HTTP OPTIONS request which should provide a response containing a Access-Control-Allow-Origin header with the domain originating the request (or * to allow all domains).
Since this is a security measure of the browser, mainly based on the fact that browsing web pages the user may not know which requests are sent to which endpoints, Postman simply does not need to apply it because its requests are explicitly sent by the user himself.
https://developer.mozilla.org/en-US/docs/Glossary/CORS
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
I have a question regarding the Tuleap REST API when used with CORS.
Basically, I'm trying to make a REST call to see the backlog of my project.
Referring to the API Explorer, to do so I need to do a GET call like this: /api/projects/{id}/backlog I also need to add the custom headers X-Auth-Token and X-Auth-UserId to ensure the authentication.
When I do this request with a HTTP Request tool (Poster for Firefox) everything works fine and I get status 200.
The problem now is that I'm trying to develop an application (in angularJS) that would do the same request.
I noticed that when the page is doing the request, it starts by doing a preflight OPTIONS request which is due to the Cross-Origin-Ressource-Sharing.
It seems like the X-Auth-Token and X-Auth-UserId header are being put in the Access-Control-Request-Headers. Because of that I get an unauthorized 401 response code from the server and I can't complete the request.
I've been looking online and couldn't find my answer as how to make this call work.
There was a recent contribution that should remove the need for authentication on all OPTIONS routes in order to enable the preflight: http://gerrit.tuleap.net/#/c/2642/ It was
Integrated in Tuleap 7.2.99.36
Either your version of Tuleap is too old or there is a bug.
Note all calls still require some headers such as "Content-Type: application/json"; the integration tests should provide good examples of how to make calls:
https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=tree&h=9a513f2b7e765f7b9a4f7f72e9d43f40f623fec5&hb=293d47e4006531d3c0d04edfc6e7058e53c7c9c8&f=tests/rest
and
https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=tree&h=4d9071865a42cbd0d40f5f933b4b0b1047c54a8c&hb=293d47e4006531d3c0d04edfc6e7058e53c7c9c8&f=tests/lib/rest