REST Api - status of 403 (Forbidden)

[Rok]

Hello,

I am having problems with trying to use the oTree REST api from a different webpage (javascript).

Since it works perfectly when testing in postman, I'm guessing its an issue with CORS.

If I use mode: 'cors', i get:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I tried setting the required header, and a bunch of other recommended settings, but the problem still persisted.

If I use the mode: 'no-cors', i get:

Failed to load resource: the server responded with a status of 403 (Forbidden)

I'm kind of confused on what to do at this point. the 403 forbidden is returned to me if i set the 'otree-rest-key' or if i don't. I'm guessing that's because the no-cors returns an opaque response? I'm thinking I should probably get the mode: cors to work, but I'm not sure how, or if i even can.

Was the oTree REST api made and tested with cors in mind? Is there something on the oTree server side that is blocking me from acessing the api from a different website? Can I change it?

At this point I'm about to make my own mini php api to serve as the wrapper api for the otree's but that can't be the best way to do this...

Best Regards,

Rok

[Chris @ oTree]

It would be simpler to make the API call from the server side. These kinds of things are tricky in javascript, for example some browsers may not allow setting custom headers such as otree-rest-key, and in any case it's best not to expose the secret key in client-side code.

[Rok]

Hm, those are actually very good points. I guess I'm making a mini oTree api - api. :)

Thanks,

Rok