When I am trying to integrate my react js application with the gateway I am facing CORS issue as below
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://IP:port/userme. (Reason: header ‘access-control-allow-credentials’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
everything is working from curb & postman request but not from browser.
Curb request (successful request)
HTTP/1.1 200
X-Frame-Options: DENY
Access-Control-Expose-Headers:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: HEAD, DELETE, POST, GET, PATCH, PUT
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=37C2604B133C7B9D1345A9E13A878A36; Path=/; HttpOnly
Expires: 0
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Authorization
Content-Type: application/json;charset=UTF-8
Date: Tue, 17 Mar 2020 16:26:14 GMT
Transfer-Encoding: chunked
Try
1) enabling access-control-allow-credentials and
2) adding access-control-allow-credentials to the Access-Control-Allow-Headers list in the configuration.
CORS is enabled by default for all APIs but you need to send following values in header earlier i was sending Access-Control-Allow-Headers and other values too which was causing issue....
'Accept': 'application/json',
'content-Type':'application/json',
'Access-Control-Allow-Origin': '*',
'Authorization' : 'Bearer '+token,
Related
I have one normal Wordpress website on which I am trying to block requests to wp-json. I am aware that such requests go via the core of the Wordpress. My request looks like this:
[root#SV-CentOS-01 ~]# curl -i https://www.website.com/wp-json/wp/v2/users/1
When I add RewriteRule ^wp-json.*$ - [L,R=404] on top of my htaccess I get 404 server response and the API returns me the users of my website. Is there actually a way to achieve what I want via .htaccess or we need to make it the Wordpress way?
Example:
[root#SV-CentOS-01 ~]# curl -i https://www.website.com/wp-json/wp/v2/users/1
HTTP/1.1 404 Not Found
Date: Mon, 20 Sep 2021 14:14:13 GMT
Server: Apache
Vary: Accept-Encoding,Cookie,Origin
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Robots-Tag: noindex
Link: <https://www.website.com/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Allow: GET
Set-Cookie: PHPSESSID=5c07eaa455457ca0ef4b358d016c3b8d; path=/
Upgrade: h2,h2c
Connection: Upgrade
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
{"id":1,"name":"User One","url":"","description":"","link":"https:\/\/www.website.com\/author\/admin\/","slug":"admin","meta":[],"_links":{"self":[{"href":"https:\/\/www.website.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/www.website.com\/wp-json\/wp\/v2\/users"}]}}[root#SV-CentOS-01 ~]#
I'm trying to login through the http form, from DRF:
> https://my.site.io/api-auth/login/
Using httpie, i generate a session.json to get the CSRFToken:
$ http --session=why -h https://my.site.io/api-auth/login/
Referrer-Policy: same-origin
Server: nginx/1.18.0
Set-Cookie: csrftoken=dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE; expires=Thu, 02 Dec 2021 15:32:49 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Vary: Cookie
X-Content-Type-Options: nosniff
I use the csrftoken from cookies and :
http --session=why -h POST https://my.site.io/api-auth/login/ username=user password=pass X-CSRFToken:dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE -p Hh
This is the out put (With both request and response headers):
POST /api-auth/login/ HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 49
Content-Type: application/json
Cookie: csrftoken=dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE
Host: my.site.io
User-Agent: HTTPie/2.3.0
csrfmiddlewaretoken: dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 3366
Content-Type: text/html
Date: Thu, 03 Dec 2020 15:33:37 GMT
Referrer-Policy: same-origin
Server: nginx/1.18.0
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
I tried to use X-CSRFToken instead of csrfmiddlewaretoken
I can perform the login through a browser, if a browser is working, i don't see as it can be a problem from the Django Rest Framework configuration. Maybe i'm doing something wrong with httpie
What can it be?
Thanks in advance.
I am currently working to make the prediction request using the library : Google.Apis.CloudMachineLearningEngine.v1 and ended up with a JSON return :
{
StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content:
System.Net.Http.StreamContent, Headers:
{
Vary: Origin
Vary: X-Origin
Vary: Referer
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Transfer-Encoding: chunked
Cache-Control: private
Date: Mon, 13 Aug 2018 17:57:44 GMT
Server: ESF
Content-Type: application/json; charset=UTF-8
}
}.
My code is similar with this blog. (the last code he made)
I also have an editor role set up for that service account, (changed in IAM & ADMIN/IAM) and also added editor permission on ML Engine/Models/{model name} to that generated email.
I want to know if there is something I missed. I am running the code in asp.net in debug mode (via localhost). I just need a bit of clear information to make it work.
Currently I'm using the default UI from cognito to authenticate my users.
When i mark them as RESET_REQUIRED The redirect to forgot_password is not working.
Here's the request and Response Header...
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Tue, 05 Jun 2018 21:22:15 GMT
Expires: 0
Location: redirect:/forgotPassword?redirect_uri=https://domain.delist&response_type=code&client_id=4711&errorMessage=Password reset required for user due to security reasons.
Pragma: no-cache
Server: Server
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: keep-alive
Any Idea or do i miss somthing?
I think your Location header is incorrect - try removing the "redirect:" so it is
Location: /forgotPassword?redirect_uri=https://domain.delist&response_type=code&client_id=4711&errorMessage=Password reset required for user due to security reasons.
I am using the Google Reports API to watch for changes to resources, such as a user's Google Calendar activity events. To achieve this, a channel (or watchpoint) was created by following the steps here: https://developers.google.com/admin-sdk/reports/v1/reference/activities/watch
Now, I would like to stop watching a resource before the channel expires. I sent a POST request along with a access token in the header and the body contains the channel id and the resource id (https://developers.google.com/admin-sdk/reports/v1/reference/channels/stop). However I keep getting a 404 Not Found. Am I doing something wrong here?
All other requests using the same access token are working fine.
My request/response looks like this:
POST /admin/reports/v1/channels/stop HTTP/1.1
Host: www.googleapis.com
Content-length: 97
Content-type: application/json
Authorization: Bearer ya29.rAExOpnO_gatfyJvKWEVt8OsQ-LyaCyN3UUFjYzm0-3ExEBZ9an7WWfdDLqJspChQaiiIQ
{
"id": "5cfc250b-2faf-4f86-91b3-398326c6b4fb",
"resourceId": "A_HZ7mQy0Zpd6-TkQjr3aQlWd94"
}
HTTP/1.1 404 Not Found
Content-length: 9
X-xss-protection: 1; mode=block
X-content-type-options: nosniff
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Vary: Origin,X-Origin
Server: GSE
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Fri, 10 Jul 2015 17:10:40 GMT
X-frame-options: SAMEORIGIN
Content-type: text/html; charset=UTF-8
Not Found
Turns out the request URL specified in the documentation is wrong.
The correct one is
https://www.googleapis.com/admin/reports_v1/channels/stop
Issue reported here: https://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=3914