I have an EmberJS application that uses ember-data to access data via a REST API. The REST API is running on the same machine but on a different port (although this probably applies to REST API's that are served from another domain.
When I go to the URL localhost:4200/items I get the following error in the Firefox console:
Content Security Policy: The page's settings blocked the loading of a resource at http://localhost:7654/api/items ("connect-src http://localhost:4200 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200").
I tried installing ember-cli-cors but nothing changed. I also tried the solution at http://discuss.emberjs.com/t/ember-data-and-cors/3690, but that didn't work either. That discussion was from 2013, so that's not a huge surprise.
The REST API is written in python using Flask and Flask-cors. Using the network tab I can see that the request is being sent, and the data being sent back, but the error is still there. The header Access-Control-Allow-Origin is set to http://localhost:4200 in the response, as expected.
app/router.js
import Ember from 'ember';
import config from './config/environment';
var Router = Ember.Router.extend({
location: config.locationType
});
export default Router.map(function() {
this.route('items');
});
app/adapters/application.js
import DS from 'ember-data';
export default DS.RESTAdapter.extend({
namespace: 'api',
host: 'http://localhost:7654',
});
app/routes/items.js
import Ember from 'ember';
export default Ember.Route.extend({
model: function() {
return this.store.find('item');
}
});
app/models/item.js
import DS from 'ember-data';
export default DS.Model.extend({
name: DS.attr(),
});
app/templates/items.hbs
{{#each item in items}}
{{ item.name }}<br>
{{else}}
<p>No items</p>
{{/each}}
{{outlet}}
This is a CSP issue not CORS
Inside config/environment.js find the ENV.contentSecurityPolicy and add http://localhost:7654 to your 'connect-src' key
e.g.
ENV.contentSecurityPolicy = {
// ... other stuff here
'connect-src': "'self' http://localhost:7654"
}
You will probably need a different setting for your production environment as well.
For testing environment you can use proxy.
ember s -proxy http://localhost:7654
So all back-end request goes to your server which is running on port 7654.
Related
I'm developing an app using Ionic Framework and generated a JHipster project for my backend. My JHipster project runs on an extra Server and is called via REST requests from my App. So my problem now is handling the CORS and CSRF configuration.
My JHipster project has its own frontend, which runs on the same domain and while testing I can reach my backend without any issues. However, when I want to call my backend on the server from my Ionic app my xsrf tokens wont update properly and, therefore, I cannot access my backend. I already tried several solutions from different stack overflow posts, but none of them worked for me.
For example:
Ionic using CORS and CSRF
Could not verify token
https://github.com/angular/angular/issues/18859
What I've done so far:
I enabled csrf in my SecurityConfiguration in my JHipster project
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(problemSupport)
.accessDeniedHandler(problemSupport)
added CORS configuration
cors:
allowed-origins: 'http://localhost:8100, ionic://localhost, http://localhost'
allowed-methods: 'POST, GET, OPTIONS, DELETE, PUT, HEAD'
allowed-headers: 'Origin, X-Requested-With, Content-Type, Accept, x-auth-token, Authorization, X-CSRF-Token, x-xsrf-token, XSRF-TOKEN'
exposed-headers: 'Authorization,Link,X-Total-Count,XSRF-TOKEN, X-XSRF-TOKEN'
allow-credentials: true
max-age: 86400
wrote an interceptor
#Injectable()
export class HttpXSRFInterceptor implements HttpInterceptor {
constructor(private tokenExtractor: HttpXsrfTokenExtractor, private csrfService:CSRFService, private $sessionStorage: SessionStorageService) {
}
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const headerName = 'XSRF-TOKEN';
const respHeaderName = 'X-XSRF-TOKEN';
let token = this.tokenExtractor.getToken() as string;
if (token !== null && !req.headers.has(headerName)) {
req = req.clone({ headers: req.headers.set(respHeaderName, token) });
req.clone({
withCredentials: true
});
}
return next.handle(req);
}
}
added HttpClientXsrfModule in my app.module.ts and the interceptor
HttpClientXsrfModule.withOptions({
cookieName: 'XSRF-TOKEN',
headerName: 'X-XSRF-TOKEN',
}),
{
provide: HTTP_INTERCEPTORS,
useClass: HttpXSRFInterceptor,
multi: true
},
My Problem:
I dont get a xsrf token when starting my App in the browser, but after I send a post request the token gets set as a cookie.
For example when logging in, the first attempt fails due to the missing token, but the second login request is successful because now the response header for the xsrf token is not null anymore. Furthermore, the token does not update itself even though the server response has a new token in its header.
From my understanding
the first time I get my token should be immediately after loading the start page of my app
the token should be updated after each response from the server (backend) and the updated token is used for the next request
Therefore my problem is that both these issues do not happen and I don't know how to fix it.
I appreciate any help!
cheers
I'm the author of Ionic for JHipster so hopefully, I can help you with this.
First of all, CSRF shouldn't be an issue unless you're running your apps on the same port. In my experience, when you run them on separate ports, your client can't read the cookie. As for CORS, that's not a problem for me when running locally. I believe it's because the CORS settings for the dev profile are wide open. Can you try using the settings from the dev profile in your prod profile and see if it helps?
For reference, they are:
jhipster:
cors:
allowed-origins: '*'
allowed-methods: '*'
allowed-headers: '*'
exposed-headers: 'Authorization,Link,X-Total-Count'
allow-credentials: true
max-age: 1800
If this works, I'd try changing your allowed origins to an array, or just use one. http://localhost:8100 should be all you need if running locally.
Context: I'm starting a new project for my company. It's been many years since I've done some web development and decided to build it using the latest platforms (so I'm a still new to all of this).
Current stack:
Aurelia frontend (running on localhost:9000)
Backend REST API using ExpressJS (running on localhost:8000)
PostGreSQL database running on AWS, providing data for the backend
Question: I can't seem to connect my frontend with my backend properly.
Here is my code:
import {inject} from "aurelia-framework";
import {HttpClient} from "aurelia-http-client";
#inject(HttpClient)
export class Login {
constructor(httpClient){
this.http = httpClient;
}
signIn() {
const url = 'http://localhost:8000/api/user/demo/test';
this.http
.get(url)
.then(data => {
console.log("data");
console.log(data);
})
.catch(error => {
console.log('Error getting ' + url);
console.log(error);
});
};
}
This always end up in the catch block, with a "response: ProgressEvent"
If I put the url in the browser I get a proper JSON:
{"status":"success","data":[],"message":"Retrieved ALL users"}
The code above only works for 'local' content, i.e. localhost:9000. As soon as I need content from somewhere else I get this error. What am I missing?
I think that CORS is not allowing you to access localhost:8000 from localhost:9000. To solve this, you should enable your ExpressJS server to accept CORS requests from localhost:9000 (or all hosts using a wildcard "*").
Look into these resources:
https://enable-cors.org/server_expressjs.html
https://github.com/expressjs/cors
Or search Google for 'expressJS cors'.
I have a rest API running on localhost:8001/my_app/api/, and I have apache setup to reverse proxy it from localhost/my_app/api. That's working fine.
In order to have permissions to do anything with the api, it requires my session cookie, my csrftoken cookie and a X-CSRFToken HTTP header. I've configured adapters/application.js as follows:
adapters/application.js
import Ember from 'ember';
import DRFAdapter from './drf';
export default DRFAdapter.extend({
headers: Ember.computed(function() {
return {
'X-CSRFToken': Ember.get(document.cookie.match(/csrftoken\=([^;]*)/), '1'),
};
}).volatile(),
ajax: function(url, method, hash) {
hash = hash || {}; // hash may be undefined
hash.crossDomain = true;
hash.xhrFields = {withCredentials: true};
return this._super(url, method, hash);
}
});
If I do a ember build -prod and copy the contents of the dist dir to /var/www/myApp/, apache serves my app, and it works just fine.
It's when I try to use ember-cli's builtin development server where I run into problems. I'm getting 403 errors from my api. It turns out that while the X-CSRFToken header is being sent neither of my cookies are. If I look in my chrome developer tools, it shows that I have both cookies - they simply aren't in the request headers. They're both from localhost, so I'm a bit confused.
Also, I currently I have CORS on my rest backend setup. Here are the headers I'm currently receiving:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:4200
I thought that since allow-credentials == true and allow-origin != * that cookies were supposed to be allowed. sigh.
Here's my API_HOST and contentSecurityPolicy:
config/environment.js
if (environment === 'development') {
ENV.APP.LOG_TRANSITIONS = true;
ENV.APP.API_HOST = "http://localhost"
ENV.contentSecurityPolicy = {
'default-src': "'none'",
'script-src': "'self' 'unsafe-eval' localhost",
'font-src': "'self'",
'connect-src': "'self' localhost",
'img-src': "'self'",
'style-src': "'self'",
'media-src': "'self'"
};
}
As you can see above, the api requests are being sent through my reverse proxy. I've played around with ember serve --proxy trying both http://localhost:80/ and http://localhost:8001/ but neither have helped. I've also tried setting my development ENV.API_HOST = 'http://localhost:8001/'; with and without the various proxy values.
This edit, build, deploy, refresh my browser, test, & repeat process is REALLY slow and getting old REALLY fast.
Could someone please explain to me how to get the ember-cli development server to properly access my rest api?
I'm using Ember CLI 0.0.36. When I run ember server in my project folder, my understanding is that a server buried in some Brocoli process gets started. However I would like to program a custom Express server and have my app point to that Node.js code for its backend. How would I go about doing that within the Ember CLI framework?
UPDATE:
Following #user3155277's answer, I added an adapter file like so:
app-name/app/adapters/application.js:
import DS from 'ember-data';
export default DS.RESTAdapter.reopen({ namespace: 'api' });
I created an Express server that I put at the root of my app:
app-name/server.js:
var express = require("express"),
app = express(),
path = require("path");
app.get("/api/test", function(req, res) {
res.json({
hello: "world"
});
});
var server = app.listen(8147);
In the Ember app, my index route is defined as so:
app-name/app/routes/index.js:
import Ember from 'ember';
export default Ember.Route.extend({
model: function() {
return Ember.$.getJSON("/api/test").then(function(data) {
return data;
});
}
});
On the command line I then start the server like so:
ember serve --proxy http://localhost:8147/
I get the following error:
version: 0.0.35-master-86abdb11ba
Proxying to http://localhost:8147/
object is not a functionTypeError: object is not a function
at Class.module.exports.Task.extend.start (D:\ember-cli\lib\tasks\server\express-server.js:41:43)
at Class.module.exports.Task.extend.run (D:\ember-cli\lib\tasks\serve.js:40:23)
at Class.module.exports.Command.extend.run (D:\ember-cli\lib\commands\serve.js:35:18)
at Class.Command.validateAndRun (D:\ember-cli\lib\models\command.js:74:15)
at CLI.<anonymous> (D:\ember-cli\lib\cli\cli.js:33:20)
at tryCatch (D:\ember-cli\node_modules\rsvp\dist\commonjs\rsvp\-internal.js:163:16)
at invokeCallback (D:\ember-cli\node_modules\rsvp\dist\commonjs\rsvp\-internal.js:172:17)
at publish (D:\ember-cli\node_modules\rsvp\dist\commonjs\rsvp\-internal.js:150:13)
at flush (D:\ember-cli\node_modules\rsvp\dist\commonjs\rsvp\asap.js:51:9)
at process._tickCallback (node.js:419:13)Livereload server on port 35729
This is actually pretty simple with Ember CLI 0.0.40:
Create folder structure
ember new my-app
Go into the newly created folder
cd my-app
Generate api-stub* (see update)
ember generate api-stub my-server
This latter command creates a server folder with an index.js file and a routes folder with a my-server.js file.
Open my-server.js file and you see:
module.exports = function(app) {
var express = require("express");
var myServerRouter = express.Router();
myServerRouter.get("/", function(req, res) {
res.send({my-server:"something"});
});
app.use("/api", myServerRouter);
};
All you need to do then is to change that file. If the Ember app makes calls to /api/hamsters and /api/project, edit as follows:
module.exports = function(app) {
var express = require("express");
var myServerRouter = express.Router();
myServerRouter.get("/hamsters", function(req, res) {
res.send({ ... });
});
myServerRouter.get("/project", function(req, res) {
res.send({ ... });
});
app.use("/api", myServerRouter);
};
To start the server (from project's root):
ember server
Make sure you have updated node.js to the latest version as well.
Updates
As of Ember CLI 0.0.41 (via this PR) api-stub has been renamed http-mock.
I started playing with ember cli so i'm not sure but i found the following:
https://github.com/dockyard/ember-cli-plus-backend/tree/rails-served-html/frontend/api-stub
Basically you should proxy your express server to the same port as your ember-cli (so then you don't have to deal with jsonp issue)
Set the method to 'proxy' and define the proxyURL to pass all API requests to the proxy URL.
UPDATE:
1.Generate adapter ember generate adapter application
2.Make api namespace - fill the created file with the following code:
export default DS.RESTAdapter.reopen({
namespace: 'api'
});
3.Start the server with ember serve --proxy http://localhost:1337/ (this will proxy all your request to localhost:4200 to 1337
4.Make routes in your express app prefixed by /api
Hope it helps
I have searched around on the forums and read some other posts. However, I'm not sure how exactly to go about this. I have a store with a proxy that I'm trying to load with data from a server. I have tried both jsonp and rest for the type of proxy without luck. In both cases I get a 403 forbidden error. followed by an XMLHTTPRequest cannot load error.
Here's the error that I see in the Chrome console:
Here's my code:
Ext.define('EventsTest.store.Venues', {
extend: 'Ext.data.Store',
requires: [
'Ext.data.proxy.Rest',
],
config: {
storeId: 'venuesStore',
model: 'EventsTest.model.Venue',
proxy: {
type: 'rest',
url: 'http://leo.web/pages/api/',
headers: {
'x-api-key': 'senchaleotestkey'
},
limitParam: false,
pageParam: false,
enablePagingParams: false
/*
extraParams: {
latitude: 45.250157,
longitude: -75.800257,
radius: 5000
}
*/
}
}
});
Security policy in browser and desktop is different so even if it fails in browser it can work in phone. But now the question is how to manage while you are developing the app, for that have a look at this similar question :
How to use json proxy to access remote services during development
Regarding that OPTION request which is getting 403 response, try setting withCredentials : false and useDefaultHeader : false. Details here
http://docs.sencha.com/touch/2-1/#!/api/Ext.data.Operation-cfg-withCredentials
http://docs.sencha.com/touch/2-1/#!/api/Ext.data.Connection-cfg-useDefaultHeader
I would suggest you to read more about CORS if you want to use remote services, you may choose to enable CORS on your server.
You're running your app on a local domain "sencha.test", but you're trying to access data on "leo.web" - the error is that you're trying to load data across domains, which isn't allowed via AJAX.
You say that JSONP doesn't work... why not? Does your server return valid JSONP?