Problem with access_token param on POST request

Hi, it’s me again, well im having a sort of … error… when trying to post to /dataset/data/{datasetid} Despite the content-type : application/x-www-form-urlencoded header sent to the api to avoid OPTIONS preflight (CORS) when setting the Authorization: Bearer {access_token} header it still perform a preflight ( always performs a OPTIONS no matter what), to avoid this, im doing the following /dataset/data/{datasetid}?access_token={access_token} on every request but it’s returning a 400 bad request when the type is POST saying that the parameter access_token is not present in the request… I’ve tried sending it in the body as in the header. Im running the api/xibo panel and the api consumer in two different servers. BTW … CORS headers are set in the .htaccess of xibo. Any comments? anything you got… Thanks in advance

access_token should only be sent in the header - that is the “supported” way to access it. Can you provide a sample failing request using POSTMAN, including response headers - we can investigate from that.

From POSTMAN its working as expected, when post metod is setted, but via browser it preflights an OPTIONS returning a400 BAD REQUEST or a 404, this cant be avoided if i must send theaccess token with a header…
if i do a OPTIONS with postman

{
  "error": {
    "message": "Página no encontrada",
    "code": 404,
    "data": []
  }
}

I see - you are accessing the API from another website (another application running in the browser) and therefore you need to negotiate CORS support - hence the pre-flight.

That’s right, it can’t be - and you must use a header so that PUT/DELETE requests are supported.

To solve this issue you need to configure your web server to respond to the OPTIONS preflight, you could do this in Apache with mod_rewrite:

RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ $1 [R=200,L]   

You could also advertise that CORS is supported:

Header always set Access-Control-Allow-Origin "*"                   
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"

You should take care to understand what this actually means - allowing any 3rd party to make cross domain requests against your CMS… is that what you really want?

I guess you’ve had to hard-code your clientID/clientSecret in your web page application, which is a really bad idea! You could consider writing a proxy application that runs on your web server as an alternative, more secure approach.

1 Like

Dan, yes , the mod rewrite did the trick, I’ve one more question, probably related to this… when I send a post request to /datasets/data/2 sending it as urlenconded form data and with this format dataSetColumnId_23 : "SomeString", dataSetColumnId_24 : "SomeString2" the API returns the id of the new record, but the record is empty, I cant figure out where is the problem… and I certainly don’t want to alter the xibo code. Thank You

@Peter - did you also have a problem with this during test?

As far as I know it should work fine with correct parameters.

So, first you’d want to call
GET {{url}}/api/dataset/{dataSetId}/column then use correct columns Ids in post call (image resized by discourse, please click on it to see whole image)

Now let’s say I want to add data to first three columns in my dataset, in this case the IDs will be 4, 7 and 17

ie

that added row 25 and if we look in the CMS