Strava and CORS headers

444 views
Skip to first unread message

Michael McLachlan

unread,
Jan 1, 2017, 11:49:15 PM1/1/17
to Strava API
Does the Strava API support authentication and API usage through the use of Cross-Origin Requests?

I was trying to write a simple app to migrate my data from Nike+ to Strava using the Strava API because I have about 1000+ runs and I don't really feel like doing that manually.  I thought that writing a simple JS authenticator would interface nicely/easily with the oauth... however when posting to strava.com/oauth/token, the browser preflights the post request sending and option request over to pre-validate, and then strava responds with a 302 redirect to strava.com/login. I'm sure there are some of you out there that have run into this...

e.g.. the code looks something like this (assume client id, secret, and code is set...)

        var url = "https://www.strava.com/oauth/token";
        var data = { 
                    client_id: xxxxxx,
                    client_secret: "xxxxxxx",
                    code: xxxxx
                   };
        
        App.requestor.http.defaults.headers.common['Access-Control-Allow-Origin'] = '*';
        App.requestor.http({method: 'POST', url: url, dataType: "json", data: data});

But this is the response...
  1. Cache-Control:
    no-cache
  2. Connection:
    keep-alive
  3. Content-Length:
    94
  4. Content-Type:
    text/html; charset=UTF-8
  5. Date:
    Mon, 02 Jan 2017 04:15:03 GMT
  6. Location:
  7. Set-Cookie:
    xxxxxxxx
  8. Status:
    302 Found
  9. X-FRAME-OPTIONS:
    DENY
  10. X-Request-Id:
    xxxxxxxxxxx
  11. X-UA-Compatible:
    IE=Edge,chrome=1
I would have expected something that should tell my browser what options are valid... am I missing something here? or do the services not support this?

Julien Silland

unread,
Jan 6, 2017, 5:09:50 PM1/6/17
to Strava API
Michael,

This is a bug — I have recently opened up our CORS policy for API resources (everything under /api/v3) but I didn't go to the extent of writing code to exercise the OAuth flow in the browser.

I've filed the bug in our tracker. I can't provide an estimate for when a fix would be deployed — in the meantime, you can mint yourself a personal token by going to https://www.strava.com/settings/api and setting that in your code or wherever you intended to persist the token.

Hope this helps,
-j

Gabe O'Leary

unread,
May 5, 2017, 12:25:50 AM5/5/17
to Strava API
Any update on when this is going to be fixed? It's making life overly difficult for your developers :(

Thanks,
Gabe
Reply all
Reply to author
Forward
0 new messages