search

umami-software / umami

Umami is a simple, fast, privacy-focused alternative to Google Analytics.
https://umami.is
MIT License
23.03k stars 4.29k forks source link

CORS Policy Issue with Umami Cloud API Access #2881

Open jerryc127 opened 3 months ago

jerryc127 commented 3 months ago

Describe the Bug

I am writing to inquire about a CORS policy issue I encountered while attempting to use the Umami Cloud API. I am currently registered under the free plan, and I am attempting to access the API with the following code:

const ddf = async () => {
  let headersList = {
    "Accept": "application/json",
    "x-umami-api-key": "xxxx"
  }

  let response = await fetch("https://api.umami.is/v1/websites/54fdbb4b-9a17-4bef-9ede-73cbbbc12fa5/stats?startAt=0000000000&endAt=1723571288005", { 
    method: "GET",
    headers: headersList
  });

  let data = await response.text();
  console.log(data);
}
ddf();

However, when I attempt to execute this code, I am encountering the following error in the console:

Access to fetch at 'https://api.umami.is/v1/websites/54fdbb4b-9a17-4bef-9ede-73cbbbc12fa5/stats?startAt=0000000000&endAt=1723571288005' from origin 'https://xxxxx.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

could you provide guidance on how to resolve this issue?

Database

Umami Cloud

Relevant log output

No response

Which Umami version are you using? (if relevant)

No response

Which browser are you using? (if relevant)

Edge

How are you deploying your application? (if relevant)

No response

franciscao633 commented 3 months ago

The API should work without with signing up for a pro plan. I was able to run your code without any issues only changing the website ID and API key. Have your tried running it with he various CORS headers?

MichaelBelgium commented 3 months ago

This is the same case with self hosted.

I had to add these to apache config

        Header unset Access-Control-Allow-Origin
        Header always set Access-Control-Allow-Origin "<website you're trying to fetch from>"
        Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
        Header always set Access-Control-Max-Age "1000"
        Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [R=200,L]
mikecao commented 3 months ago

@jerryc127 We've pushed out a few updates. Are you still having issues?

jerryc127 commented 3 months ago

@jerryc127 We've pushed out a few updates. Are you still having issues?

yes, it another error

image

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 60 days with no activity.

jerryc127 commented 3 weeks ago

Is there any solution?