Project

General

Profile

Question #1211

API: CORS handler

Added by Stefan Eichert 7 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Low
Category:
API
Target version:
Start date:
2020-04-22
Estimated time:

Description

Update: For handling Cross Origin Resource Sharing (CORS) and making cross-origin AJAX possible flask-cors was implemented: https://flask-cors.readthedocs.io/en/latest/.

Original description
Hi everyone!
For getting data into the thanados app I was trying to figure out how to access the API (from thanados.openatlas.eu) via javascript (from my localhost).
  • 1st I set the API to public
  • 2nd I tried to get one Json ld via jquery's getjson:
$.getJSON( "https://thanados.openatlas.eu/api/0.1/entity/120290", function( data ) {
console.log(data)
});

i get the following error:

Access to XMLHttpRequest at 'https://thanados.openatlas.eu/api/0.1/entity/120290' from origin 'http://127.0.0.1:5000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If I execute the command from the console on the thanados.openatlas.eu website, it works.

I tried some suggestions from stackoverflow etc. but none did work to get the data from my localhost.

I wonder if the error is on my end or if we need to allow requests from other origins than thanados.openatlas.eu in the openatlas code.

Any help appreciated.
Thanks and best regards,
Stefan

History

#1

Updated by Christoph Hoffmann 7 months ago

if the baseurl of the website you're requesting (in this case https://thanados.openatlas.eu/) is different from the website making the request ( in this case http://127.0.0.1:5000) a http header of the format

Access-Control-Allow-Origin: http://127.0.0.1:5000

needs to be present in the requested websites http response. for reference see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

for handling CORS in flask there appears to be a separate module https://flask-cors.readthedocs.io/
implementing this may need some considerations regarding the security of our ajax endpoints though.

for your development environment an adaption to openatlas/views/api.py on your (server side) thanados version setting the header manually may suffice:
https://github.com/craws/OpenAtlas/tree/feature_cors_quickfix

it's untested, but works locally :)
good luck and have a nice evening

#2

Updated by Stefan Eichert 7 months ago

Many thanks! I will use this in my local environment. :-)

Still this raises the question (at least for me - please correct me if I am wrong) about the accessibility of the API in general. Wasn't the main purpose that external web applications can get the data from our API? If javascript is used for that (maybe also other approaches) this is not possible without our side to allow for any origin of the request?

Thanks again and all the best,
Stefan

#3

Updated by Alexander Watzinger 7 months ago

  • Target version set to API
  • Status changed from New to Assigned
#4

Updated by Bernhard Koschicek 7 months ago

Stefan Eichert wrote:

Many thanks! I will use this in my local environment. :-)

Still this raises the question (at least for me - please correct me if I am wrong) about the accessibility of the API in general. Wasn't the main purpose that external web applications can get the data from our API? If javascript is used for that (maybe also other approaches) this is not possible without our side to allow for any origin of the request?

Thanks again and all the best,
Stefan

You are absolutly correct, every domain should be able to access the API. I have to/will implement this.

#5

Updated by Bernhard Koschicek 6 months ago

  • Status changed from Assigned to Resolved

For now resolved. Moving all external access and API authentification to #1233.

#6

Updated by Alexander Watzinger 6 months ago

  • Status changed from Resolved to Closed

Setting status to closed so that it doesn't shows up as open anymore. Hope that's ok otherwise please change the status again.

#7

Updated by Bernhard Koschicek 5 months ago

  • Status changed from Closed to In Progress

I reopen the ticket, because it was only solved by a hotfix.
Christoph Hoffmann: I would implement this feature with https://flask-cors.readthedocs.io/en/latest/. The idea from you, that in the admin interface, one can just enter a list of comma separated domains what are allowed, would be the best and simplest to implement.

#8

Updated by Bernhard Koschicek 5 months ago

  • Subject changed from API: jquery getJson to API: CORS handler

renamed issue.

#9

Updated by Bernhard Koschicek 5 months ago

  • Target version changed from API to 5.3.0
  • Assignee changed from Bernhard Koschicek to Alexander Watzinger
  • Status changed from In Progress to Closed

Should be working with the new version. Still remember, you have to turn API on public.
Alexander Watzinger all test passes on my side and Mypy only throws errors on things I didn't touch. I merged it to develop.

#10

Updated by Alexander Watzinger 4 months ago

  • Description updated (diff)

Also available in: Atom PDF