search

VivaPayments / API

Index of Viva Wallet open source projects on GitHub.
139 stars 163 forks source link

CORS error when calling /connect/token #2468

Closed SamuelMichelRiad closed 9 months ago

SamuelMichelRiad commented 9 months ago

Hello team,

We are integrating the ECR API in our POS system (web-based JS), and are running into a CORS issue when invoking the web services.

Access to XMLHttpRequest at 'https://demo-accounts.vivapayments.com/connect/token' from origin 'https://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Can you please add the Access-Control-Allow-Origin header to your web server configuration?

Thanks, Sam

VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad,

Thank you for your message. We would like to inform you that this issue is a server-side issue. We would like to advise you to check if the CORS policy has been set correctly on your server.

Kind regards, Viva Wallet E-commerce Support Team

SamuelMichelRiad commented 9 months ago

Hi team,

I am calling a service on your server, not mine. I have a web application running on a local machine, which is calling the https://demo-accounts.vivapayments.com/connect/token endpoint.

Please update.

Thanks, Sam

VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad,

Thank you for your reply. We would like to advise you to check your local machine settings. More information about the issue can be found in the link below:

https://stackoverflow.com/questions/68105091/cors-response-to-preflight-request-doesnt-pass-access-control-check-how-to-s

Kind regards, Viva Wallet E-commerce Support Team

SamuelMichelRiad commented 9 months ago

Team,

The issue is with your web server configuration. I do not have a server. I have an HTML file and JS code.

I have pasted the response headers from your server /connect/token, where you can clearly see there is no Access-Control-Allow-Origin header. This header determines which origins are allowed to call this service from a browser context.

Please liaise with your web server team to have this added to your configuration.

Cache-Control: no-store, no-cache, max-age=0 Content-Length: 27 Content-Type: application/json; charset=UTF-8 Date: Mon, 06 Nov 2023 15:25:03 GMT Pragma: no-cache Set-Cookie: ak_bmsc=6FC502E16ACA0E2688A565AE31F90A63~000000000000000000000000000000~YAAQxus/F0M8a6SLAQAAtrw8pRU3be16r348koDON6++uVPLyQsvOqyVaSOM/hCEBGb/75DBxeKDsr9i9PbBIBvkS7O9FEeMQkLmaqMgQCSo5HkrsG8N7XOYABVqyDuE4GdJtGbWt9QHy++mtEfATMhjoRCMGw918BPrXd60GseFRiwx0sj3ASbRVBy67NiASPIu43OqBiDzdzBscIPQEnPAipbm9cI0iQJWNoTQh/EJqwjR9Qunx6QMczxWhF0iO2xMnaS762Wf1YMnQT3GVZzqlFS1JHfdDXzeE7FuJS6UaFSHU2DPaeMnvUsg+9FOXGfetMGNrsHP8y2M8mq2SuVlCO3EFXkLy7ZIctdwV1//CK/dTeqU9KVD3pt9mKDpIoWDku0L6vgWFl7UbeoR; Domain=.vivapayments.com; Path=/; Expires=Mon, 06 Nov 2023 17:25:01 GMT; Max-Age=7198; Secure; HttpOnly Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Viva-Correlationid: 23-310-B14E9AC9

VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad,

Thank you for your message. We are currently investigating your issue. We will inform you as soon as we have any updates.

Kind regards, Viva Wallet E-commerce Support Team

SamuelMichelRiad commented 9 months ago

Hi team,

I have attached a minimal code sample that illustrates the issue. Run it in Chrome or Edge or Firefox.

`

Viva Wallet token test

Viva Wallet token test

`
VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad,

Thank you for the additional information. We will inform you as soon as we have any updates.

Kind regards, Viva Wallet E-commerce Support Team

VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad,

Further to our investigation, we would like to inform you that the relevant header cannot be added due to Security Reasons as the API Calls may contain sensitive information.

Kind regards, Viva Wallet E-commerce Support Team

SamuelMichelRiad commented 9 months ago

Hello team,

This is a very disappointing reply.

  1. You are excluding all web-browser based integrations with this decision.
  2. The Access-Control-Allow-Origin header does not in itself expose sensitive information, it merely dictates which websites are allowed to call your web services from a browser context - you have no such restrictions for integrations through backend servers, desktop/mobile apps where CORS checking is not enforced.
  3. You are forcing us to use an inefficient approach of either having our own servers be the middle man, or asking our users to turn off CORS checking in their browsers, neither of which are an acceptable or scalable approach.
  4. We are already integrated with three of your competitors, none of which have this restriction.

I hope your technical architects will reconsider this decision based on the reasons above, to allow us to offer Viva Wallet as an option to our customers.

Thanks

VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad ,

Thank you for your suggestion. We always consider our customers' feedback for future improvements. We will review your request and possibly, it will be available in a future release.

Kind regards, Viva Wallet E-commerce Support Team

VivaWalletCustomerSupport commented 9 months ago

Hello @SamuelMichelRiad,

This ticket will close for now. Please don't hesitate to raise a new ticket if you need further assistance.

Kind regards, Viva Wallet E-commerce Support Team