API auth over http

We are trying to pull in Issues into a dashboard but I cannot get requests to the api to auth, i keep getting:

{"detail": "Authentication credentials were not provided."}

We are using axios like so:

const config = {
    headers: {
        Authorization: `Bearer ${token}`
    }
}

axios.get(url, config)
        .then(response => this.onDataFetchSuccess(response.data))

The initial OPTIONS request returns 401 unauthorized with the above error.

Chrome network tab shows this in Request Headers


Provisional headers are shown
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Origin: http://localhost:6060
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Making a curl request as in the docs works fine:

curl -H 'Authorization: Bearer {token}' https://sentry.io/api/0/projects/

Any help is appreciated

Hi,

Sentry currently doesn’t support CORS requests on its APIs. I’d recommend one of the following:

  • sending those requests from your backend, or making a simple serverside app that makes those requests on behalf of your JS frontend.
  • putting something in your nginx config that intercepts those options requests before they hit sentry and returns a correct Access-Control-Allow-Origin header.

Getting the same errors, spent the whole day reading the docs and trying to figure out why. Would have been ideal if these kind of info are stated in the API docs.

I’m having the same issue. I’m trying to use the user-feedback endpoint (https://docs.sentry.io/api/projects/post-project-user-reports/) to send user-feedback through a custom dialog (as the default one doesn’t match my app styles) but when performing the POST request I get the issue with 401s against the OPTIONS request.

The same request of course works fine through curl but implementing a backend service just to wrap this simple functionality seems like overkill.

Any plans to implement CORS stuff on your API @untitaker ?

I ran into this issue too and couldn’t find anything in the docs that stated that Sentry does not support CORS requests. Has there been an update on this?
It would also be great if you could handle the preflight response better, because receiving the correct Access-Control-Allow-Origin and Access-Control-Allow-Methods responses gives the impression that Sentry does support CORS. But then, the 401 status code leads to confusion. That combined with not mentioning in the docs that there is no CORS support is very misleading.
Thank you!

Hi @vanesa! Can you provide more details around the request and response? A verbose curl output with sensitive parts cleaned out would be very useful.

Having the same issue.
Axios does not support OPTIONS requests with credentials, because thats not part of the RFC

http s://github.com/axios/axios/issues/1358

from http s://stackoverflow.com/questions/15734031/why-does-the-preflight-options-request-of-an-authenticated-cors-request-work-in
The W3 spec for CORS preflight requests clearly states that user credentials should be excluded.

How can I get the OPTIONS request to send and respond consistently?

Simply have the server (API in this example) respond to OPTIONS requests without requiring authentication.

Need to find a different way until this gets fixed in Sentry…