I have a simple post request with axios:
axios.post('my endpoint', values).then(res => console.log(res.headers));
axios is listing those values as headers:
cache-control: "max-age=0, private, must-revalidate"
content-length: "13757"
content-type: "application/xml; charset=utf-8"
but when I check the network tab in chrome, I can see those values under response headers:
access-control-allow-origin: http://localhost:8080
access-control-expose-headers: Total,Total-Pages
cache-control: max-age=0, private, must-revalidate
content-length: 13757
content-type: application/xml; charset=utf-8
date: Thu, 02 Sep 2021 19:37:42 GMT
x-envoy-upstream-service-time: 385
x-request-id: FqEYfGCtbcHGzzwASr4C
I need to access the x-request-id header, but there is no way to get this with axios or fetch.
I saw some messages about the header being blocked by cors, but I have X-Request-Id in my access-control-allow-headers
Someone has any idea how to get this header with axios?
I think you have to specify this on the server so that axios has access to the specific headers you require.
https://stackoverflow.com/a/37931084/8818020
Related
i am using the google calendar api to write events to my organization's calendar, but i cannot figure out how to refresh the access token so that my program can use the calendar for more than an hour at a time.
to recreate the error:
generate oauth client id and client secret from your project's google cloud console
select calendar and calender.events scope at https://developers.google.com/oauthplayground
exchange the Authorization Code generated by Google's OAuth Playground for a refresh token and a temporary access token
list https://developers.google.com/oauthplayground as a valid redirect uri for your client on your project's cloud console
attempt to refresh your access token using your client id and client secret from your cloud console
THE PROBLEM
Google's OAuth playground access token expires after 3600s (1hr). I am able to refresh the access token using google's stand-in client credentials, but when I try to make the request (either from the playground itself or from postman), I am met with the following error message
{
"error_description": "Unauthorized",
"error": "unauthorized_client"
}
I have verified that the oauth playground is listed as a valid redirect uri for my client in the cloud console. I have also compared my POST request to the one google sends when refreshing the access token with placeholder credentials to ensure that I am sending all necessary params.
REQUESTS/RESPONSES
POST request on Oauth playground using google's default client credentials
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-length: 223
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
client_secret=************&grant_type=refresh_token&refresh_token=1%2F%2F04qg5N0zhIRbPCgYIARAAGAQSNwF-L9IrTEZny7y_4wpbjLUh7ImtWRu473AQeTG3NG49ogQVzDZJe99BnS1TwFjwX7S2mNbLOYQ&client_id=407408718192.apps.googleusercontent.com
Response from Google's oauth playground when making the above request
HTTP/1.1 200 OK
Content-length: 385
X-xss-protection: 0
X-content-type-options: nosniff
Transfer-encoding: chunked
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Vary: Origin, X-Origin, Referer
Server: scaffolding on HTTPServer2
-content-encoding: gzip
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 31 Aug 2022 22:13:53 GMT
X-frame-options: SAMEORIGIN
Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Content-type: application/json; charset=utf-8
{
"access_token": "ya29.a0AVA9y1sTkPpmJIHvIBNODwdXr36hzumPEmoJGFBB1y29SZVwiE_QBy7RuTjDNzPkKyBOJ7RD1LBceTooeUZuNl-wN5dkyqsjFF5ynMkcShwG_yADXazPUFXngsSGuW_WRuVR01s9FOnv2N5gzkPldvQEtLaZaCgYKATASAQASFQE65dr8ZDuFe5BQyBG8ostdxK5ObQ0163",
"scope": "https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/calendar",
"expires_in": 3599,
"token_type": "Bearer"
}
POST request to google's Oauth playground using MY client credentials
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-length: 279
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
client_secret=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&grant_type=refresh_token&refresh_token=1%2F%2F04qg5N0zhIRbPCgYIARAAGAQSNwF-L9IrTEZny7y_4wpbjLUh7ImtWRu473AQeTG3NG49ogQVzDZJe99BnS1TwFjwX7S2mNbLOYQ&client_id=804898855072-r91v64ojblf83if1pe9f8vr4mumubecc.apps.googleusercontent.com
Response from Google's oauth playground when making the above request
HTTP/1.1 401 Unauthorized
Content-length: 75
X-xss-protection: 0
X-content-type-options: nosniff
Transfer-encoding: chunked
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Vary: Origin, X-Origin, Referer
Server: scaffolding on HTTPServer2
-content-encoding: gzip
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 31 Aug 2022 22:16:15 GMT
X-frame-options: SAMEORIGIN
Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Content-type: application/json; charset=utf-8
{
"error_description": "Unauthorized",
"error": "unauthorized_client"
}
Any guidance is greatly appreciated. Google seriously needs some better docs!
unauthorized_client
Normally means that the client id and client secrete you are using with a refresh token is not the client id and client secret that were used to create it.
You should not be using playground to create tokens. You should be creating them in your app and refreshing them in your app.
Remember you can not refresh an token using a client side language. I am not a reactJs dev so if this is running client side that could also be the cause of your error. Use a server sided language.
Trying to get chunked content with Google AppScript UrlFetchApp:
UrlFetchApp.fetch(url, {muteHttpExceptions:true});
Unfortunately, it does not handle it well and stops after first chunk or somewhere between.
Here are the HTTP response headers:
HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers:
cache-control: max-age=0, private, must-revalidate
content-type: application/json; charset=utf-8
date: Fri, 26 Oct 2018 11:15:24 GMT
x-request-id: 2lgi8mvh6onm5jrvf8000tl1
transfer-encoding: chunked
Connection: keep-alive
Does UrlFetchApp even support chunked responses? If not, is there any alternative?
We have two frontend urls that need to get data from the same API.
The MDN doc says multiple origins are allowed:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
But when I get the following result (in Chrome 68):
Failed to load http://localhost:8080/api/1.0/test/: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:8080, http://localhost:4000', but only one is allowed. Origin 'http://localhost:4000' is therefore not allowed access. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Request headers
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nb-NO,nb;q=0.9,no;q=0.8,nn;q=0.7,en-US;q=0.6,en;q=0.5,da;q=0.4,sv;q=0.3
Cache-Control: no-cache
Connection: keep-alive
Cookie: (...)
Host: localhost:8080
Origin: http://localhost:4000
Pragma: no-cache
Referer: http://localhost:4000/test
Response headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:8080
Access-Control-Allow-Origin: http://localhost:4000
Cache-Control: must-revalidate
Cache-Control: private
Cache-Control: max-age=2
Content-Type: application/json;charset=UTF-8
Date: Thu, 30 Aug 2018 07:44:51 GMT
I have a problem with Chrome - in the network tab it only displays an empty Access-Control-Exposed-Headers header.
In postman the header's value is visible:
When trying to access the ETag header through the getResponseHeader('ETag') method of the XMLHttpRequest I'm getting a Refused to get unsafe header "etag" error. I already ran out of ideas how to fix this. Does anybody know what could be wrong?
EDIT: Apparently that behaviour is caused by the Origin header - when it is present in the request, the Access-Control-Expose-Headers in the response is empty. Unfortunately, I don't have access to the backend code, so I can't provide an example. All response headers:
HTTP/1.1 200 OK
Server: openresty/1.9.7.5
Date: Sun, 03 Sep 2017 13:02:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Expose-Headers:
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: *,x-requested-with,Content-Type,If-Modified-Since,If-None-Match,latest_time
Access-Control-Max-Age: 1728000
ETag: "eef3e52bc505031d93da42098f32cc60"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: eb5c7353-0b4b-43c8-b2ff-4763d56d9ec9
X-Runtime: 0.015680
Access-Control-Allow-Credentials: true
Vary: Origin
I have the following coffee script which performs some sort of login:
signIn: (url, completion) ->
$.ajax
method: 'GET'
url: url
dataType: 'json'
error: (jqXHR, status, errorThrown) ->
completion false, errorThrown
success: (data)->
completion true, data.Identifier
When I check the given URL in the browser I get a valid JSON Response back.
However, when this call is executed using JavaScript I get the following error in the console . Please note that I have changed the URLs for obfuscation:
XMLHttpRequest cannot load http://my.servicedomain.com/session/someIdentifier?access_token=secret.
Origin http://html.server.net is not allowed by Access-Control-Allow-Origin.
These are my headers, which I get from the my.servicedomain.com server:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 1417
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization
Date: Wed, 10 Jul 2013 14:24:35 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: Keep-Alive
Why do I get this error, even though I have Access-Control-Allow-Origin: * in the response header?
I have just figured out the answer myself. I knew that I had duplicated headers in my response, but I was assuming this would not be a problem.
It looks like this is a Problem according to the CORS Spec:
If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.
This is also described in this SO Thread:
Will duplicate "Access-Control-Allow-Origin: *" headers break CORS?