connect-nodejs-sdk icon indicating copy to clipboard operation
connect-nodejs-sdk copied to clipboard

Published 20 hours ago verified publisher icon square

GET requests to catalog fail with CORS Missing Allow Origin

Open mbates opened this issue 4 years ago • 5 comments

I am trying to use the catalog API but requests are failing with CORS Missing Allow Origin.

I can use curl to send GET requests to the sandbox API and I get the expected result.

But when I send the same request from my webapp, which includes the origin and referer headers, the response is a 403 with "CORS Missing Allow Origin"

This works

 curl "https://connect.squareupsandbox.com/v2/catalog/list" -H "User-Agent: Square-TypeScript-SDK/8.0.0" -H "Accept: application/json" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "authorization: Bearer SANDBOX_ACCESS_TOKEN" -H "Square-Version: 2020-12-16" -H "Connection: keep-alive"

This fails

curl "https://connect.squareupsandbox.com/v2/catalog/list" -H "User-Agent: Square-TypeScript-SDK/8.0.0" -H "Accept: application/json" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "authorization: Bearer SANDBOX_ACCESS_TOKEN" -H "Square-Version: 2020-12-16" -H "Origin: http://dev.domain.com" -H "Connection: keep-alive" -H "Referer: http://dev.domain.com/product-list"

mbates avatar Feb 03 '21 03:02 mbates

Is there a reason you're using cURL commands rather than using the provided SDK to make the request? I'm guessing it has something to do with your "Origin" header in the cURL request; we do not allow requests from other origins as far as I know. This also frequently comes up as an issue if you attempt to make an API call from a front-end library, rather than a backend server.

Also, unrelated to the aobve, but just FYI this SDK is no longer maintained, and you should be using the new SDK: https://github.com/square/square-nodejs-sdk.

StephenJosey avatar Feb 03 '21 21:02 StephenJosey

I was using only using curl to check that the requests were working. I installed square from node into an angular app, and the second request was created from the firefox devtools, from the failed GET request.

I'm trying to have a front end only solution, using your API as the back end.

I'll open a new issue on the other repo.

mbates avatar Feb 04 '21 18:02 mbates

Just to confirm: if you remove the "Origin" header from your cURL request, it should work.

StephenJosey avatar Feb 04 '21 18:02 StephenJosey

I opened a new issue in the correct repo, this one can be closed now.

https://github.com/square/square-nodejs-sdk/issues/19

mbates avatar Feb 04 '21 20:02 mbates

And yes, when the origin is not in the request it works. But those headers are added automatically when I use the Client object const catalog = this.client.catalogApi.listCatalog();

mbates avatar Feb 04 '21 20:02 mbates