Hi, it’s me again, well im having a sort of … error… when trying to post to /dataset/data/{datasetid} Despite the content-type : application/x-www-form-urlencoded header sent to the api to avoid OPTIONS preflight (CORS) when setting the Authorization: Bearer {access_token} header it still perform a preflight ( always performs a OPTIONS no matter what), to avoid this, im doing the following /dataset/data/{datasetid}?access_token={access_token} on every request but it’s returning a 400 bad request when the type is POST saying that the parameter access_token is not present in the request… I’ve tried sending it in the body as in the header. Im running the api/xibo panel and the api consumer in two different servers. BTW … CORS headers are set in the .htaccess of xibo. Any comments? anything you got… Thanks in advance
access_token
should only be sent in the header - that is the “supported” way to access it. Can you provide a sample failing request using POSTMAN, including response headers - we can investigate from that.
From POSTMAN its working as expected, when post metod is setted, but via browser it preflights an OPTIONS returning a400 BAD REQUEST or a 404
, this cant be avoided if i must send theaccess token
with a header…
if i do a OPTIONS with postman
{
"error": {
"message": "Página no encontrada",
"code": 404,
"data": []
}
}
I see - you are accessing the API from another website (another application running in the browser) and therefore you need to negotiate CORS support - hence the pre-flight.
That’s right, it can’t be - and you must use a header so that PUT/DELETE requests are supported.
To solve this issue you need to configure your web server to respond to the OPTIONS preflight, you could do this in Apache with mod_rewrite:
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
You could also advertise that CORS is supported:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
You should take care to understand what this actually means - allowing any 3rd party to make cross domain requests against your CMS… is that what you really want?
I guess you’ve had to hard-code your clientID/clientSecret in your web page application, which is a really bad idea! You could consider writing a proxy application that runs on your web server as an alternative, more secure approach.
Dan, yes , the mod rewrite did the trick, I’ve one more question, probably related to this… when I send a post request to /datasets/data/2
sending it as urlenconded form data and with this format dataSetColumnId_23 : "SomeString", dataSetColumnId_24 : "SomeString2"
the API returns the id of the new record, but the record is empty, I cant figure out where is the problem… and I certainly don’t want to alter the xibo code. Thank You
@Peter - did you also have a problem with this during test?
As far as I know it should work fine with correct parameters.
So, first you’d want to call
GET {{url}}/api/dataset/{dataSetId}/column
then use correct columns Ids in post call (image resized by discourse, please click on it to see whole image)
Now let’s say I want to add data to first three columns in my dataset, in this case the IDs will be 4, 7 and 17
ie
that added row 25 and if we look in the CMS