Jump to content

API request to my forum is getting blocked by CORS policy

6ichem

By 6ichem
in Feedback

 Share

Recommended Posts

6ichem Enthusiast

6ichem

Posted
Posted (edited)

I'm getting this error when making a get request from my frontend to the IPB api:  

Access to XMLHttpRequest at 'url' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The request works fine when using postman and passing the API as username with no password (like mentioned in the docs) but when doing this with react/axios on the frontend it doesn't seem to work. Is this an issue with IPB? How can it be fixed? I'm no backend pro so any help would be really appreciated. Thanks

Edited by 6ichem
bfarber Grand Master

bfarber

Posted
Posted

If you make the request within the client/browser, you need to content with CORS which is designed to allow cross-domain requests to work but also provide protection against javascript-based attacks. Essentially, you'll need to add a few response headers for these requests which is typically done at the server level.

Postman doesn't run in the browser context which is why it works without an error.

One word of caution - running any sort of API requests via javascript exposes the API credentials. We'd only recommend using an OAuth-based client for API requests if javascript is going to be executing the API requests, since the permission level will match the current logged in user anyways.

6ichem Enthusiast

6ichem

Posted
  • Author
Posted
16 hours ago, bfarber said:

If you make the request within the client/browser, you need to content with CORS which is designed to allow cross-domain requests to work but also provide protection against javascript-based attacks. Essentially, you'll need to add a few response headers for these requests which is typically done at the server level.

Postman doesn't run in the browser context which is why it works without an error.

One word of caution - running any sort of API requests via javascript exposes the API credentials. We'd only recommend using an OAuth-based client for API requests if javascript is going to be executing the API requests, since the permission level will match the current logged in user anyways.

Well there isn't really a point of using OAuth if the information I'm trying to get is basically something public that can be viewed by even guests right?

Stuart Silvester Grand Master

Stuart Silvester

Posted
Posted
52 minutes ago, 6ichem said:

Well there isn't really a point of using OAuth if the information I'm trying to get is basically something public that can be viewed by even guests right?

The difference is that when you use an API key, you're interacting at a high level. These requests do not have extra permission checks on them to determine if the end user can see the content.

Even if you're specifically crafting a URL to fetch topics from a certain forum, your same API key could be used to fetch topics from a secret forum that you don't want anyone to see.

Quote

When using an API key, all data is available and all actions can be performed. For example, if you send an API request to GET /forums/topics, every topic in the community will be in the results; if you send an API request to POST /forums/topics you can create a topic as any user on the community. It is therefore very important that you always keep the API Keys secret, and only grant access to the endpoints you intend to use.

https://invisioncommunity.com/developers/rest-api

6ichem Enthusiast

6ichem

Posted
  • Author
Posted
6 minutes ago, Stuart Silvester said:

The difference is that when you use an API key, you're interacting at a high level. These requests do not have extra permission checks on them to determine if the end user can see the content.

Even if you're specifically crafting a URL to fetch topics from a certain forum, your same API key could be used to fetch topics from a secret forum that you don't want anyone to see.

https://invisioncommunity.com/developers/rest-api

Good point, I'll try doing it with OAuth (I never used it before). Would it require cors as well? I'm still struggling to fix that...

Stuart Silvester Grand Master

Stuart Silvester

Posted
Posted
2 minutes ago, 6ichem said:

Good point, I'll try doing it with OAuth (I never used it before). Would it require cors as well? I'm still struggling to fix that...

Yes, you would still need to configure the CORS headers. The main difference is that you will be sending requests as an authenticated user instead, so they'll only be able to see things that they're allowed to see and perform actions where allowed.

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...