CORS is again in center of the battle
I get an issue with such path
XdataWebClient--> API GW --> API Server Apache xData
With XDataWebClient when opening connexion to URL (obfuscated) using Firefox or MS Edge, https://apihub-2.*********-preprod.net:8080/*************/reparateurs
I get an issue about CORS error
"Access to XMLHttpRequest at 'https://apihub-2.*******-preprod.net:8080/ ******* /reparateurs/$model' from origin 'http://localhost:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
But when I check the same request with CURL client, everything works fine (from same PC)
And it enables to check the CORS authorization is present
< Access-Control-Allow-Origin: *
Is there something to add for XDataWebClient ?
Thanks
Sylvain
Details of CURL request which simulates HTTP request done by XdataWebClient
>curl -v --header "authorization: 1*******************************2" -H "Origin: http://localhost:8000" https://apihub-2.*********-preprod.net:8080/*************/reparateurs/$model
* Trying 145.239.187.244:8080...
* Connected to apihub-2.*******-preprod.net (145.239.187.244) port 8080 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
> GET /*******/reparateurs/$model HTTP/1.1
> Host: apihub-2.*******-preprod.net:8080
> User-Agent: curl/7.83.1
> Accept: */*
> authorization: 1*************2
> Origin: http://localhost:8000
>
* schannel: failed to decrypt data, need more data
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Length: 67500
< Content-Type: application/json
< Date: Wed, 02 Nov 2022 16:38:20 GMT
< Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/8.0.6
< X-Ratelimit-Limit: -1
< X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 0
< Xdata-Version: 2
<
{
"Title": "Server API",
"Version": "3",
"Schemas": [
{
"Namespace": "XData.Default",
"EntityTypes": [
{
"Name": "Site",
"Properties": [
seems fired.
But it's the event used to integrate header key for API Authorization.
And without this info inside header, the API Gateway (which is securing the xData API) refuses xdatawebclient connection request
On our Tyk.io gateway
error=Authorization field missing
path=/xdata/reparateurs/$model <= which is the request at connection from xdatawebclient
Is there a way to force connection to use XDataWebClientRequest before sending request ?
Continuing to investigate I discovered most of API Gateway can support CORS OPTIONS to go through gateway for first connection to test CORS status
There is such option in Tyk.io but the connection request is a GET not an OPTIONS
Maybe a next feature for XdataWebclient will be to enable sent of an OPTIONS request before any other.
The /$model endpoint request is performed by the TXDataWebConnection component, not the TXDataWebClient. For authorization purposes, I recommend to always use the OnRequest event of the TXDataWebConnection itself since it centralizes the requests for any client connected to it.
This is done automatically by the browser, there is no need for the component to do so.
Thanks Wagner ,
My bad, switching from XDataWebClient to XdataWebConnection, the header is well formed and request is working fine through the tyk.io API Gateway