Cannot access public API with fetch API because of CORS restrictions

[renaudpawlak]

The current API at https://api.boavizta.org is not accessible with the fetch API from any domain.

For instance, the front-end created with DLite (during a Hackaton) to access the API, the CORS policy should allow at least the origin https://platform.dlite.io. However, when trying to fetch the https://api.boavizta.org/v1/server (POST), you get the following error:

Access to fetch at 'https://api.boavizta.org/v1/server/' from origin 'https://platform.dlite.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Is there a plain to open the API to any client domain (or at least to some white-listed domains). The alternative would be to manage API keys. However, I believe that to would be nice for such a public-interest API to be fully open.

[da-ekchajzer]

I think we will make the allowed origins an environment variable and add 'https://platform.dlite.io/' in the environmental variable of the test endpoint https://api.boavizta.org/v1/server/.

I transfer the issue in the boaviztapi repo.

[da-ekchajzer]

The last commit on dev adds the possibility to give a list of allowed origin by setting the environmental variable ALLOWED_ORIGINS.

Example

export ALLOWED_ORIGINS = '["https://platform.dlite.io/"]'

Could you try it on localhost to confirm that it works ?

[renaudpawlak]

Well, that would be complicated because I need to test from the prod version hosted on https://platform.dlite.io/... and my prod version don't not have access to my dev localhost... Doing an actual test would require to deploy the API on a publicly accessible domain. It is not worth the effort, since, as I said, I have fixed the CORS issue in DLite by using a CORS proxy. If you deploy on prod, I will be able to test if your ALLOWED_ORIGINS list works. Anyway, I think we should close the issue since it does not seem relevant after all :)

[da-ekchajzer]

Thanks for your answer. I'll close the issue when the feature is released.

[da-ekchajzer]

• [ ] Test this feature with https://platform.dlite.io/ as origin (@da-ekchajzer)

[odelcroi]

I'm facing the same issue with the project datavizta, would it be possible to allow cross origin OPTIONS requests as described here.

As the API is public, maybe you should release this lock and allow all cross origin requests from any origin? '*'

[da-ekchajzer]

Problem should have been fix on dev only (http://dev.api.boavizta.org/). The cors policy is now set as * by default (and on the public endpoint).

It can be set with an environmental variable. Refer to : http://doc.dev.api.boavizta.org/Reference/deploy/

Please let me know if the problem is fix on your side.