Question #1211
closed
API: CORS handler
Description
Update: For handling Cross Origin Resource Sharing (CORS) and making cross-origin AJAX possible flask-cors was implemented: https://flask-cors.readthedocs.io/en/latest/.
Original descriptionHi everyone!
For getting data into the thanados app I was trying to figure out how to access the API (from thanados.openatlas.eu) via javascript (from my localhost).
- 1st I set the API to public
- 2nd I tried to get one Json ld via jquery's getjson:
$.getJSON( "https://thanados.openatlas.eu/api/0.1/entity/120290", function( data ) {
console.log(data)
});
i get the following error:
Access to XMLHttpRequest at 'https://thanados.openatlas.eu/api/0.1/entity/120290' from origin 'http://127.0.0.1:5000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
If I execute the command from the console on the thanados.openatlas.eu website, it works.
I tried some suggestions from stackoverflow etc. but none did work to get the data from my localhost.
I wonder if the error is on my end or if we need to allow requests from other origins than thanados.openatlas.eu in the openatlas code.
Any help appreciated.
Thanks and best regards,
Stefan
Updated by Christoph Hoffmann over 4 years ago
if the baseurl of the website you're requesting (in this case https://thanados.openatlas.eu/) is different from the website making the request ( in this case http://127.0.0.1:5000) a http header of the format
Access-Control-Allow-Origin: http://127.0.0.1:5000
needs to be present in the requested websites http response. for reference see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
for handling CORS in flask there appears to be a separate module https://flask-cors.readthedocs.io/
implementing this may need some considerations regarding the security of our ajax endpoints though.
for your development environment an adaption to openatlas/views/api.py on your (server side) thanados version setting the header manually may suffice:
https://github.com/craws/OpenAtlas/tree/feature_cors_quickfix
it's untested, but works locally :)
good luck and have a nice evening
Updated by Stefan Eichert over 4 years ago
Many thanks! I will use this in my local environment. :-)
Still this raises the question (at least for me - please correct me if I am wrong) about the accessibility of the API in general. Wasn't the main purpose that external web applications can get the data from our API? If javascript is used for that (maybe also other approaches) this is not possible without our side to allow for any origin of the request?
Thanks again and all the best,
Stefan
Updated by Alexander Watzinger over 4 years ago
- Status changed from New to Assigned
- Target version set to 208
Updated by Bernhard Koschiček-Krombholz over 4 years ago
Stefan Eichert wrote:
Many thanks! I will use this in my local environment. :-)
Still this raises the question (at least for me - please correct me if I am wrong) about the accessibility of the API in general. Wasn't the main purpose that external web applications can get the data from our API? If javascript is used for that (maybe also other approaches) this is not possible without our side to allow for any origin of the request?
Thanks again and all the best,
Stefan
You are absolutly correct, every domain should be able to access the API. I have to/will implement this.
Updated by Bernhard Koschiček-Krombholz over 4 years ago
- Status changed from Assigned to Resolved
For now resolved. Moving all external access and API authentification to #1233.
Updated by Alexander Watzinger over 4 years ago
- Status changed from Resolved to Closed
Setting status to closed so that it doesn't shows up as open anymore. Hope that's ok otherwise please change the status again.
Updated by Bernhard Koschiček-Krombholz over 4 years ago
- Status changed from Closed to In Progress
I reopen the ticket, because it was only solved by a hotfix.
@Christoph Hoffmann: I would implement this feature with https://flask-cors.readthedocs.io/en/latest/. The idea from you, that in the admin interface, one can just enter a list of comma separated domains what are allowed, would be the best and simplest to implement.
Updated by Bernhard Koschiček-Krombholz over 4 years ago
- Subject changed from API: jquery getJson to API: CORS handler
renamed issue.
Updated by Bernhard Koschiček-Krombholz over 4 years ago
- Target version changed from 208 to 5.3.0
- Status changed from In Progress to Closed
- Assignee changed from Bernhard Koschiček-Krombholz to Alexander Watzinger
Should be working with the new version. Still remember, you have to turn API on public.
@Alexander Watzinger all test passes on my side and Mypy only throws errors on things I didn't touch. I merged it to develop.