oauth support: problem with CORS headers and 401 response

[ashelley]

Hello,

I'm trying to connect to a private repository using oauth. However, I don't believe the server is sending the proper headers back for the CORS request.

Example, if i try to connect to my private repository I get this from chrome:

XMLHttpRequest cannot load https://mydomain.prismic.io/api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. 

In firefox I get a similar problem:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://mydomain.prismic.io/api. This can be fixed by moving the resource to the same domain or enabling CORS.

I've setup a proxy on my localhost to send back the proper headers to the browser and this gets me passed the problem however this code does not work even if the CORS problem didn't exist. The response from the server I get is:

> xhr.status
401
> xhr.response
"{"error":"Invalid access token","oauth_initiate":"https://mydomain.prismic.io/auth","oauth_token":"https://mydomain.prismic.io/auth/token"}"

Because the non 200 response will cause a failure the signin.html code can never work because the error condition always prevents it from working.

From signin.html

Helpers.getApiHome(
    function(err, api) {
        if (err) { Configuration.onPrismicError(err); return; }
        document.location =
            api.data.oauthInitiate + 
            '?response_type=token' +
            '&client_id=' + encodeURIComponent(Configuration['clientId']) +
            '&redirect_uri=' + encodeURIComponent(document.location) +
            '&scope=' + encodeURIComponent('master+releases');
    }
);

Note: you can get an access token if you manually browse to the url that would normally be generated by signin.html if you manually enter the url into the browser:

https://mydomain.prismic.io/auth?response_type=token&client_id=yourclientid&redirect_uri=http%3A%2F%2Flocalhost%3A3000&scope=master%2Breleases

Steps to reproduce: 1) make your repository private in prismic.io interface and add an application 2) change your prismic-configuration.js file to contain your clientId and clientSecret 3) try to access index.html or signin.html, you will get the cors error.

Note: if you use fiddler to decrypt the traffic you can see that the error response comes back but the browser still throws the cors error.

[oldie85]

Any resolution to this issue? I'm facing the same problem.

[ashelley]

I ended up moving on from prismic integration in my application (for now) and didn't receive a response on this issue. I think this is the only place I filed the bug. I believe unless prismic changes their server to send back the proper CORS headers in the response the only way to work around this issue is to proxy the request through your own server. However, I haven't worked on this issue since I posted it. Just wanted to update you with what i know.

[rudyrigot]

Hey guys, sorry for the late response. Someone on the prismic.io team is working on it today; you can expect details and a resolution soon.

[rudyrigot]

Hey guys, thanks for your patience; we confirm the issue was on the API side, and was fixed today.

Thanks a lot for reporting it!

[whyvez]

@rudyrigot We are seeing this issue today. We added login to the website in question using auth0. While not logged in the requests to prismic work without a pre-flight check and all is good. When logged in the prismic.io api request triggers a pre-flight check and that fails. Could it be the headers maybe?

We are also using angular-prismicio.

[gabzim]

I have this same issue, been using prismic for 2 days, things are getting frustrating

[erwan]

Hi,

@arg20 can you give some details about the problem you're having? This is an old ticket, the issue was fixed and the code base is very different from what it is now.

[desirelabs]

Same issue here with open api and only with Firefox and safari.