Allow CORS requests on /create from Pokémon Showdown

[AnnikaCodes]

The Pokémon Showdown teambuilder has a functionality for uploading teams to https://pokepast.es automatically. Currently, we use a <form>, but I would like to use jQuery instead (which fixes a bug with the PS! app). However, pokepast.es doesn't have the correct CORS headers for this.

I would appreciate it if you added Access-Control-Allow-Origin: * or Access-Control-Allow-Origin: *.psim.us, play.pokemonshowdown.com for POST requests to the pokepast.es/create URL. Thanks!

[felixphew]

Hi @AnnikaCodes, thanks for getting in touch! This is functionality I've wanted since PokePaste was mere weeks old, so I'm super glad to see it's here.

I've never thought about how CORS works for POST requests (I just looked it up, it involves an OPTIONS request) so this might take a sec to implement, but I'm on it.

[felixphew]

Could you give it a go now? I believe I'm sending the appropriate headers.

[AnnikaCodes]

Hm, looks like CORS doesn't support specifying multiple headers for Access-Control-Allow-Origin.

[AnnikaCodes]

You could check the Origin HTTP header and use that to set ACAO to either *.psim.us or play.pokemonshowdown.com, or just set ACAO to * (which is less secure, but a simpler solution and would make testing the teambuilder a bit easier).

[felixphew]

Long-term I'll want to do the former, but if it makes your testing easier, I'm happy to go with * for now. It'll have to wait until tomorrow, though.

[felixphew]

On second thoughts, try now.

[AnnikaCodes]

CORS on /create is now working fine. Unfortunately, you redirect directly to the URL of the paste, which has no CORS headers, and jQuery doesn't support capturing the redirect URL (see https://github.com/jquery/jquery/pull/4405). So it seems this functionality needs more than just CORS headers on /create to work properly.

Personally, I'd solve this by allowing an option in /create to send JSON metadata about the created paste instead of redirecting. This would make your API simpler for Pokémon Showdown and any other app that wants to upload teams.

Of course, it's your project, and you might prefer one of the many other possible solutions.

[Geyserexe]

I would find improvements to the API tremendously useful as well, because I'm currently working on a program to automatically build teams, but console.logging all the teams is really not very efficient b/c it forces the user to c/p the teams out, so I've been trying to upload the teams to pokepaste, but I'm struggling to find the result paste url because of the confusing response I'm getting. Thanks!

[felixphew]

Thanks for the feedback! PokePaste was never designed to have an API as such - all of these endpoints have been added as they're requested, with no overarching design or plan, and while I'm excited people are finding such interest in developing integrations for it, I should probably step back and come up with a sensible API that meets most people's needs.

This issue has finally motivated me to resume work on PokePaste v4 in earnest, which should be ready for testing in a couple of weeks. I'll let both of you know (and anyone else reading this who'd like to test - speak up!) when this is ready. The first pieces of code should hopefully appear on GitHub next week. This is a ground-up rewrite in Erlang (mostly because I wanted a project, and am now a huge fan of the language).

[Zarel]

The main reason you would want to access-control by origin (and the reason browsers ban it by default) is because you track session state in cookies. If you don't use cookies for permission control, it's completely safe to set ACAO: *. If you do, you can still set up separate endpoints which ignore cookies that you set ACAO * on.

All this is to say: a good stopgap here would be to set ACAO * on the paste itself.

[felixphew]

Ah, I wasn't aware that being unable to capture the redirect still meant that you could work with the redirected page if that has ACAO set appropriately. I'll do that now.

[felixphew]

Done, try now?

[MiguelCGa]

Hello! I'm trying to automatically parse official's rk9 teamlists from the vgc circuit tournaments into pokepaste, but I'm having trouble on the last step, being getting the generated pokepaste url once I've done the /create request. Found this open issue and wanted to know if I'm missing something, if there is already a way of getting it, if it's on the works or else it's been abandoned. Thank you!