I can make a request from postman but when I make the same exact request (I'm talking about even copying the code from postman) I get an error.
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://glacial-stream-35306.herokuapp.com' is therefore not allowed access.
Even with the cors-eveywhere chrome extension and attempting to use jsonp I cannot get it to work. Even though the request goes through every time on postman.
What makes a postman req different from a request from a Heroku app?
Related
I am confused by why the cors package allows the request to be processed even if the origin in the request header isn't white-listed. For example, res.status(202).send(await User.find()) returns a response with status code 202, but the data can't be loaded in the Chrome console.
Also, doesn't the browser send preflight OPTIONS requests to know what's allowed; why would it send cookies/credentials along a request with a disallowed origin?
Edit: Tried a post request on jsfiddle and the post request doesn't happen server side. When I said "why the cors package allows" it would be better to say why the browser allows.
CORS is enforced in the browser, not in your server. The server participates in setting headers that the browser can then use to determine whether the request should be allowed or not. But, it is the browser that ultimately decides whether the CORS request satisfies the requirements or not and the result should be passed through to the Javascript in the browser.
Thus, the request is sent to the server, response is received and THEN the browser decides whether the Javascript in the page is allowed to see the result or not.
In some cases where the request is likely to have side effects on the server (based on a set of criteria in the request), the browser will send a pre-flight request to get just the CORS info first.
I am trying to access the token from the Response Header of the POST request. However, when I POST the request in POSTMAN it doesn’t show all the Response headers which I see on the chrome dev tool.
The KEY in the response header I am after is :
location: https://app.rm.dev/auth/callback/?token=
Also, I can see when I POST the request I receive a GET request in the chain in the Console window [image attached]. I tried but was unable to get all the Response Headers, therefore is there a way I can copy the GET request Token value from the Console window shown in the Image?
Found the solution, just needed to toggle off Auto redirect option in Postman Settings.
I am trying to integrate a third party API. I was provided with a username and password.
When I use Postman to send a post request to the login webpage; the request header contains a postman token:
Postman-Token: vvvvvvvvv-wwwww-xxxx-yyyy-zzzzzzzzzz //this is not the real value
If I supply the postman token to every request after the login request (as shown below) then everything still works as expected:
If I access the api through my webpage, then everything also works as expected. My questions are:
What is the Postman token? I have looked already here: https://stackoverflow.com/questions/36883046/what-is-the-postman-token-header-attribute-in-generated-code-from-postman#:~:text=1%20Answer&text=This%20is%20primarily%20used%20to,random%20token%20avoids%20this%20issue.
What is the alternative to the Postman token when accessing the API though a webpage. I can see no token in the request when looking at it using Fiddler. Were is the bearer token in Fiddler?
Postman Token :
So it is just a custom header to track and debug postman requests in the receiving server
It doesn't do any authorization
Why no token in fiddler:
Because you haven't added it . You can add any custom header to the request you are sending
Why it works when used as bearer token
Because in your login call your session is cached . So for subsequent requests it is using cached session
To close the session , update the Connection header from keep-alive to close
Try setting second request to no auth:
and see if the request is still successful to confirm you are using cached session
I am trying to use the Aurelia HttpClient to call the TagniFi API on a different domain (and authenticating). The relevant code is:
return this._httpClient.createRequest(uri)
.asGet()
.withCredentials(true)
.withHeader('Access-Control-Allow-Origin', 'localhost:9000')
.withHeader('Authorization', 'Basic <my-key>')
.send();
I do receive a status 200 from the API, but I get the following error:
Response to preflight request doesn't pass access control check: A >wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header >when the credentials flag is true. Origin 'http://localhost:9000' is >therefore not allowed access. The credentials mode of an XMLHttpRequest >is controlled by the withCredentials attribute.
I am not sure if this is a error in the way I am making the call or a bug in Aurelia. Any help is appreciated. Thanks.
The Access-Control-Allow-Origin is an header sent in the response by the server and in your case you use it in the request from the client.
It's not a bug in Aurelia but a misuse of CORS.
See this excellent answer for more information on CORS.
There is no authentication on server side so authentication should not be issue.
URL format: PUT
https://localhost/api/v1/protections?integrationKey=111&userKey=1111&group=111&category=foo
Payload:
{"action":"BLOCK"}
This is working fine in Postman.
In SOAP UI , I am giving input as under:
EndPoint: https://localhost
Resource: /api/v1/protections
Parameters:?integrationKey=111&userKey=1111&group=111&category=foo
in Media type, I am selecting "application/json"
and entering {"action": "BLOCK"} but getting "Wed Jan 20 16:25:27 PST 2016:DEBUG:Receiving response: HTTP/1.1 403 Forbidden
"
Is there any suggestion to get the output in SOAP UI.
Depending on the server where the rest is exposed service generates an HTTP 403, you should verify that server is and thus find the fastest response.
Also try making a GET request from the browser to see if you can answer correctly because problem lock your machine to the server.
As is https, it may be that you lack some certificate set SOAPUI. possibly Postman you use already has configured. Try to check this setting.
In my case, I missed the Header "User-Agent" and "accept". I put in Soap UI and Works.
In Postman, this headers it put automatically.