search

USDA / USDA-APIs

Do you have feedback, ideas, or questions for USDA APIs? Use this repository's Issue Tracker to join the discussion.
www.usda.gov/developer
110 stars 16 forks source link

FDC API Requires Auth Header on OPTIONS Requests #69

Open westwood846 opened 5 years ago

westwood846 commented 5 years ago

I am working with the new FDC API and I find my CORS requests not working.

With a cross-origin request, modern browsers automatically send an OPTIONS request to the API server before sending the actual request. According to this W3 Recommendation the OPTIONS request is performed with any Auth headers stripped. But it seems that the new API requires the Authorization header to be present even on OPTIONS requests because these requests return 403, thus making CORS access impossible.

Would it be possible to change the API so that OPTIONS requests do not require the Authorization header/API key?

curl -X OPTIONS https://api.nal.usda.gov/fdc/v1/search -v

< HTTP/1.1 403 Forbidden
< Server: openresty
< Date: Mon, 17 Jun 2019 06:08:37 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< Access-Control-Allow-Origin: *
< X-Cache: MISS
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< 
{
  "error": {
    "code": "API_KEY_MISSING",
    "message": "No api_key was supplied. Get one at https://api.nal.usda.gov:443"
  }
* Connection #0 to host api.nal.usda.gov left intact
}
curl -X OPTIONS https://API_KEY@api.nal.usda.gov/fdc/v1/search -v

< HTTP/1.1 204 No Content
< Server: openresty
< Date: Mon, 17 Jun 2019 06:09:15 GMT
< Content-Type: text/plain charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
< Access-Control-Max-Age: 1728000
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< Age: 8
< Via: https/1.1 api-umbrella (ApacheTrafficServer [c s f ])
< X-Cache: MISS
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
facetrollex commented 5 years ago

Any updates on this?

kuzmenkovaES commented 5 years ago

I have the same problem with USDA ESMIS API for library.cornell.edu Could you please fix this problem asap?

littlebunch commented 5 years ago

This should now be fixed for the FDC API.