Enable CORS/JSONP?

[Bramus!]

Hi Ben,

Is it possible to enable CORS or JSONP on the API? That way we can

access the API via JavaScript.

JSONP would be sufficient, but then you'd have to allow sending of the

API-Key via GET. (Custom headers don't work with JSONP; Also POST

doesn't work with JSONP but that's no big issue I think).

If CORS were to be enabled, you wouldn't even need to adjust the API

(except for that one header you need to send to enable it), as it's then 

possible to send the API-Key via a custom header. Above that POST 

calls will work too :-)

To prevent theft of API-Keys (which won't be a biggie if people were to 

develop somthing in JS), you'll preferably will want to lock a certain 

API-Key to a certain domain. Perhaps this could be an option when 

signing up for an API-Key: to enable cross-domain access on must 

provide a domain where the app will run.

Regards,

Bram.

[Ben Dodson]

Hey Bram,

I've enabled CORS on the server. I'll look into locking API keys to certain domains at a future date.

Thanks,

Ben

[Bramus!]

Hi Ben,

Thanks for the fast fix. Whilst the call is now working, I'm still getting

an error though: “Request header field X-WallaBee-API-Key is not 

allowed by Access-Control-Allow-Headers.”

In building a RESTful PHP API for a project of mine, I had to issue an

extra header from within PHP in order to allow the custom API header

(“X-Api-Key” in my implementation) to be sent in:

header('Access-Control-Allow-Headers: X-Api-Key');

By the looks of it, I'm not seeing such a header being returned by the

Wallabee API. Could you take a look into this?

Thanks,

Bram.

[Ben Dodson]

Hey Bram,

Sorry about that - I'd only set the "allow origin" parameter. I've now enabled the "allow headers" for X-WallaBee-API-Key

Just shout if you need anything else.

Ben

[Bramus!]

Hi Ben,

Everything works fine now, thanks a bunch! :-)

Regards,

Bram.

[Bramus!]

Ben,

There's one small thing I overlooked today whilst testing: whilst my code was

now working, I see an OPTIONS request failing before each GET request.

I get back a 401 on the OPTIONS. The GET request resolves fine.

The way CORS works is that it does a preflight OPTIONS request. If I'm not

mistaken the OPTIONS request isn't caught by the API and therefore doesn't

return the 'Access-Control-Allow-Headers: X-WallaBee-API-Key' header which

on its turn results in the 401 (as the incoming X-WallaBee-API-Key isn't 

accepted).

Regards,

Bram.

[Bramus!]

Did some more researching: whilst the header is returned, I'm still getting the 401.

Quite logical now that I think of it: the API-Key is only sent with the GET request.

The fix would be to not return a 401 if the request type is OPTIONS.

Regards,

Bram.

[Ben Dodson]

Hey Bram,

I've made some alterations so the preflight OPTIONS should just get the headers and nothing else. Let me know if you still experience any problems.

Cheers,

Ben

[Bramus!]

As per usual: awesome!