[RFE] Getting Unauthorized and CORS issue while making a post call to automation_requests API

[Raghvendra1987]

I am trying making post call to API using UI which is written in reactJS.

it works through postman. It's failing in OPTIONS

Background.js:38 OPTIONS https://abc.com/api/automation_requests 401 (Unauthorized)

abc.com/:1 Access to fetch at 'https://abc/api/automation_requests' from origin 'https://abc.xx.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[Fryguy]

@himdel @martinpovolny @abellotti Thoughts here?

[himdel]

EDIT: this is probably not relevant at all

There are 2 different ways of authenticating against the API:

• HTTP Basic Authentication (used by ui-classic until Use cookie authentication against the API, drop the token renewal manageiq-ui-classic#5164, and still being used by ui-service)
• cookie + CSRF token (used by ui-classic since Use cookie authentication against the API, drop the token renewal manageiq-ui-classic#5164)

Most likely, the problem is that you have a manageiq cookie (vmdb) and not sending any other authentication data.
In that case, authentication will try to use the cookie, and fail on bad csrf.

If you explicitly provide username & password via HTTP Basic to the API call, it should work.
(Or, you can send them to the api login endpoint, receive a token, and use that on all subsequent requests.)

[himdel]

Sorry, I was reading this wrong... this is a CORS issue.

Postman does not check cors, because it's a development tool.
But the browser does.

So, 2 options:

• access the API from the same domain - that's how manageiq appliances work, the API is listening on the same domain+port as the UI, thus, no cors issues

• add a way to configure the API so that it will allow specific domains - so that you would have a place to add the domain as allowed in manageiq advanced configuration (@abellotti - does such a way already exist by any chance?)

[chessbyte]

@abellotti any ideas?

[gtanzillo]

@himdel Do you think this is an issue that needs to be fixed or can it be closed?

[himdel]

Well .. we don't need to support it for anything we're doing, and it was never possible before, so this is really a feature request.

[himdel]

So, we can decide not to support it,
and/or document how to update the appliance to achieve this when desired,
or add product settings or UI to enable specific domains (possibly complicated given the appliance/pods split).

EDIT: I think for pods, this would have to be a build-time setting, not a runtime one