FourSquare API doesn't support CORS - javascript

The FourSquare API documentation states that it supports CORS. However calling to the /users/ endpoints clearly states that only GET requests are supported:
curl -X OPTIONS -i "https://api.foursquare.com/v2/users/self/checkins?oauth_token=CLIENT_OAUTH_TOKEN"
HTTP/1.1 405 Method Not Allowed
Access-Control-Allow-Origin: *
Cache-Control: no-cache, private, no-store
Content-Type: application/json; charset=utf-8
Date: Wed, 13 Feb 2013 04:31:54 GMT
Expires: Wed, 13 Feb 2013 04:31:54 GMT
Pragma: no-cache
Server: nginx/1.2.1
Tracer-Time: 17
Content-Length: 104
Connection: keep-alive
{"meta":{"code":405,"errorType":"other","errorDetail":"This endpoint only supports GET."},"response":{}}
Is this just particular to these API endpoints or has something changed?

I haven't looked into all the methods in the FourSquare API, but my guess is that FourSquare doesn't need to support preflight requests because all their API requests are simple. The docs here suggest that the API only supports GET and POST. If those requests don't have any custom headers, they will never need a preflight request.

Related

refresh access token for google calendar api using javascript (react)

i am using the google calendar api to write events to my organization's calendar, but i cannot figure out how to refresh the access token so that my program can use the calendar for more than an hour at a time.
to recreate the error:
generate oauth client id and client secret from your project's google cloud console
select calendar and calender.events scope at https://developers.google.com/oauthplayground
exchange the Authorization Code generated by Google's OAuth Playground for a refresh token and a temporary access token
list https://developers.google.com/oauthplayground as a valid redirect uri for your client on your project's cloud console
attempt to refresh your access token using your client id and client secret from your cloud console
THE PROBLEM
Google's OAuth playground access token expires after 3600s (1hr). I am able to refresh the access token using google's stand-in client credentials, but when I try to make the request (either from the playground itself or from postman), I am met with the following error message
{
"error_description": "Unauthorized",
"error": "unauthorized_client"
}
I have verified that the oauth playground is listed as a valid redirect uri for my client in the cloud console. I have also compared my POST request to the one google sends when refreshing the access token with placeholder credentials to ensure that I am sending all necessary params.
REQUESTS/RESPONSES
POST request on Oauth playground using google's default client credentials
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-length: 223
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
client_secret=************&grant_type=refresh_token&refresh_token=1%2F%2F04qg5N0zhIRbPCgYIARAAGAQSNwF-L9IrTEZny7y_4wpbjLUh7ImtWRu473AQeTG3NG49ogQVzDZJe99BnS1TwFjwX7S2mNbLOYQ&client_id=407408718192.apps.googleusercontent.com
Response from Google's oauth playground when making the above request
HTTP/1.1 200 OK
Content-length: 385
X-xss-protection: 0
X-content-type-options: nosniff
Transfer-encoding: chunked
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Vary: Origin, X-Origin, Referer
Server: scaffolding on HTTPServer2
-content-encoding: gzip
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 31 Aug 2022 22:13:53 GMT
X-frame-options: SAMEORIGIN
Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Content-type: application/json; charset=utf-8
{
"access_token": "ya29.a0AVA9y1sTkPpmJIHvIBNODwdXr36hzumPEmoJGFBB1y29SZVwiE_QBy7RuTjDNzPkKyBOJ7RD1LBceTooeUZuNl-wN5dkyqsjFF5ynMkcShwG_yADXazPUFXngsSGuW_WRuVR01s9FOnv2N5gzkPldvQEtLaZaCgYKATASAQASFQE65dr8ZDuFe5BQyBG8ostdxK5ObQ0163",
"scope": "https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/calendar",
"expires_in": 3599,
"token_type": "Bearer"
}
POST request to google's Oauth playground using MY client credentials
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-length: 279
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
client_secret=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&grant_type=refresh_token&refresh_token=1%2F%2F04qg5N0zhIRbPCgYIARAAGAQSNwF-L9IrTEZny7y_4wpbjLUh7ImtWRu473AQeTG3NG49ogQVzDZJe99BnS1TwFjwX7S2mNbLOYQ&client_id=804898855072-r91v64ojblf83if1pe9f8vr4mumubecc.apps.googleusercontent.com
Response from Google's oauth playground when making the above request
HTTP/1.1 401 Unauthorized
Content-length: 75
X-xss-protection: 0
X-content-type-options: nosniff
Transfer-encoding: chunked
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Vary: Origin, X-Origin, Referer
Server: scaffolding on HTTPServer2
-content-encoding: gzip
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 31 Aug 2022 22:16:15 GMT
X-frame-options: SAMEORIGIN
Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Content-type: application/json; charset=utf-8
{
"error_description": "Unauthorized",
"error": "unauthorized_client"
}
Any guidance is greatly appreciated. Google seriously needs some better docs!
unauthorized_client
Normally means that the client id and client secrete you are using with a refresh token is not the client id and client secret that were used to create it.
You should not be using playground to create tokens. You should be creating them in your app and refreshing them in your app.
Remember you can not refresh an token using a client side language. I am not a reactJs dev so if this is running client side that could also be the cause of your error. Use a server sided language.

Can't access x-request-id header with axios

I have a simple post request with axios:
axios.post('my endpoint', values).then(res => console.log(res.headers));
axios is listing those values as headers:
cache-control: "max-age=0, private, must-revalidate"
content-length: "13757"
content-type: "application/xml; charset=utf-8"
but when I check the network tab in chrome, I can see those values under response headers:
access-control-allow-origin: http://localhost:8080
access-control-expose-headers: Total,Total-Pages
cache-control: max-age=0, private, must-revalidate
content-length: 13757
content-type: application/xml; charset=utf-8
date: Thu, 02 Sep 2021 19:37:42 GMT
x-envoy-upstream-service-time: 385
x-request-id: FqEYfGCtbcHGzzwASr4C
I need to access the x-request-id header, but there is no way to get this with axios or fetch.
I saw some messages about the header being blocked by cors, but I have X-Request-Id in my access-control-allow-headers
Someone has any idea how to get this header with axios?
I think you have to specify this on the server so that axios has access to the specific headers you require.
https://stackoverflow.com/a/37931084/8818020

HttpOnly Secure Cookies not being sent

Yes, another question about httpOnly Cookies.
Like a lot of other people, i'm stuck at the same place.
I get the cookie from the server but it is never sent with other requests.
I have mysite.example.com in angularjs trying to connect to api.example.com.
Here is the response headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://mysite.example.com
Connection: keep-alive
Content-Length: 2855
Content-Type: application/json
Date: Wed, 09 Jun 2021 00:52:54 GMT
Server: Apache/2.4.46 (Amazon) OpenSSL/1.0.2k-fips
Set-Cookie: WEB-TOKEN=158b691a-65fb-49c2-9d88-63bd1935531f;Version=1;Comment=;Max-Age=3600;Secure;HttpOnly;Expires=Wed, 09 Jun 2021 00:52:54 GMT
vary: Origin
Then, in AngularJS, i send a request like this (from mysite.example.com):
$http.get('https://api.example.com/userdetails', { withCredentials: true, headers: { } });
Is there anything not sent or just wrong?
Thank you!
The Path. Yes. I was missing the Path to %x2F. :)

Fetch chunked content with Google AppScript UrlFetchApp

Trying to get chunked content with Google AppScript UrlFetchApp:
UrlFetchApp.fetch(url, {muteHttpExceptions:true});
Unfortunately, it does not handle it well and stops after first chunk or somewhere between.
Here are the HTTP response headers:
HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers:
cache-control: max-age=0, private, must-revalidate
content-type: application/json; charset=utf-8
date: Fri, 26 Oct 2018 11:15:24 GMT
x-request-id: 2lgi8mvh6onm5jrvf8000tl1
transfer-encoding: chunked
Connection: keep-alive
Does UrlFetchApp even support chunked responses? If not, is there any alternative?

Access-Control-Allow-Origin: * is set but I still get Origin not allowed

I'm working on a web client that reads a JSON file from a remote server using jQuery. And I'm having trouble getting it to work.
Code:
jQuery.getJSON('http://[remote-ip]/openbeacon/test.json', updateJsonCallback);
Error:
XMLHttpRequest cannot load http://[remote-ip]/openbeacon/test.json.
Origin http://[remote-ip] is not allowed by Access-Control-Allow-Origin.
I've read up on the whole Access-Control-Allow-Origin thing and thought I had found the solution: Add 'Header set Access-Control-Allow-Origin "*"' to the Apache config file (httpd.conf) and restart the service. Unfortunately this didn't work.
I checked the header: the options does show up now - but Chrome still won't let me have access. I even compared the header to that of a json file that does work remotely:
http://api.openbeacon.net/get/brucon.json < WORKS
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2012 15:01:43 GMT
Server: Apache
Last-Modified: Tue, 20 Nov 2012 15:01:43 GMT
ETag: W/"d073949-154d-4ceee830cdae1"
Accept-Ranges: bytes
Content-Length: 5453
Access-Control-Allow-Origin: *
Connection: close
Content-Type: application/json; charset=utf-8
http://[remote-ip]/openbeacon/test.json < DOES NOT WORK
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2012 15:01:41 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_perl/2.0.4 Perl/v5.10.1
Last-Modified: Tue, 20 Nov 2012 15:01:41 GMT
ETag: W/"2b8ab16-1e7-4ceee82edbf40"
Accept-Ranges: bytes
Content-Length: 487
Acces-Control-Allow-Origin: *
Connection: close
Content-Type: application/json
Help?
Okay this was pretty stupid. As #Rocket already pointed out I mistyped Access. Sigh.
Acces-Control-Allow-Origin: *
Should be
Access-Control-Allow-Origin: *

Categories

Resources