getReloads() is not working

[rkassoss]

Trying to use getReloads({}) but yields 400 bad request error:

https://github.com/qlik-oss/qlik-api-ts/blob/main/reloads.js

It seems in the docs that there is no need to pass any params to "api/v1/reloads" for retrieving list of reloads

import { reloads, spaces } from '@qlik/api';

const mySpaces = await spaces.getSpaces({}); // works fine
console.log(mySpaces.data);

const myReload: any = await reloads.getReload('65b3b6339dabfe13223f8539'); // works fine
console.log(myReload.data);

const tenantReloads: any = await reloads.getReloads({}); // 400 error
console.log(tenantReloads.data);

(curlys are mandatory due to typescript):

[JoelDCarter]

@rkassoss, I'm not on the team that maintains this lib, but it may be worth examining the request in the Network tab of the browser's Developer Tools to see if there's something missing, extra, or corrupted with the request, ex. the bearer token is missing in the request headers. I know it's not the same client but see below where I performed a simple GET request using qlik-cli against the same REST API endpoint. It completed successfully without any parameters in the querystring. Providing more details about the request may help our team identify the issue faster.

[nilzona]

hey @rkassoss

It looks like you've found a bug. We will look into it.

[rkassoss]

Thanks @JoelDCarter , Yes, using "qlik-cli reloads" or Postman, directly to "api/v1/reloads" works fine without any params or queries. Tried also passing something in the query like {limit:100} but got the same 400 Bad Request error.

Thanks for confirming @nilzona !

[glooms]

Hi @rkassoss, here's an update.

We've been able to reproduce the issue and it seems to be due to credentials and not due to the query-parameters as the error-message might suggest. Listing all reloads is only allowed for users with the tenant-admin scope (if I understood things correctly) and for whatever reason this scope is lacking in this particular embedding scenario. Still looking into why that is.

The query-object is still (unfortunately perhaps, in this case) needed even though all the parameters are optional.

[rkassoss]

Thanks for confirming @glooms ! My user is in fact an admin and therefore I am able to use getSpaces({}) or getUsers({}) without an issue.

Also tried auth with WebIntegrationId + 3PC , same result:

Any workaround you could recommend for developing a single page app that allows users to view/manage their reloads in real time?

[nilzona]

@rkassoss

I suspect there's some limitations to webIntegrationID

can you try to do another admin call .. for example

import { auth,  webhooks } from "@qlik/api";

// set the auth
auth.setDefaultHostConfig(...);

const { status, data } = await webhooks.createWebhook({name: "ABC", url:"abc.com"})

[rkassoss]

@nilzona , Gave "webhooks" a try: Getting a different error - forbidden 403 with an infinite loop for authorizing the request.

Seeing the same result for both Auth scenarios: when using OAuth2 or WebIntegrationID

[nilzona]

@rkassoss

I've been digging into this a bit more ... So when using this library in a cross-site Web Application you will not be able to use web-integration ID for admin related tasks. All admin permissions are stripped away from the user when accessing api's with a web-integration ID.

When using OAuth there is not yet any scope that can be used in a web application (single-page-app oauth client) that will allow a user to fetch all reloads. The classic.admin scope is not allowed in a single-page-app oauth client.

The 400 repsonse is however mis-leading and I consider it to be a bug. I have raised an issue to the team owning the service that the response should really be 403. But either way it will not make the api work for you.

At the moment this api will not work in a web application ... only if you're running the @qlik/api library in a NodeJS application with either an API key or a Oauth client with the type "Web" and M2M enabled ... with the classic/admin scope.

[rkassoss]

Thanks @nilzona! Appreciate you looking into this. I will go ahead and set up an OAuth2-Web scenario and go from there.

[nilzona]

Will close this one for now