CORS on impCentral API


#1

Access to XMLHttpRequest at ‘https://api.electricimp.com/v5/auth’ from origin ‘https://website.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Has anyone else had success making impcentral API calls from a browser?


#2

Are you writing a purpose-built generally available UI? If so, we can look into finishing up an oauth2 implementation, but it won’t be ready this quarter.

If you’re building an internal tool, do login keys work for you? They should bypass any CORS issues.


#3

It’s for some internal tools we want to be building. I would actually be happy with just username/password (anyone using the tool already has one) but notice it’s the /auth endpoint that is giving me issue.


#4

I can confirm that once I have an access token CORS is bypassed. The problem is, I can’t make the request to get the token.


#5

In the meantime, I can statically load in a refresh token that is associated with an expired access token. How long do the refresh tokens stay valid for? I don’t see any details on that at https://developer.electricimp.com/tools/impcentralapi


#6

Sorry, thought I’d replied. A couple of points:

  1. The intention is to use login keys for this kind of thing. They act as refresh tokens, but they’re managed and revocable and you can hand them out. Once you have a login key, you get an access key in essentially (give or take a parameter) the same way as a refresh token.
  2. Refresh tokens last potentially forever. You can have up to five, least recently used goes away as you create new ones. They expire if unused for three months (though as I write that, it seems unnecessarily long … we’ll probably drop that to a month).
  3. The CORS block is purposeful; it (for some value of “security”) limits exposure of usernames and passwords. You really should be using oauth for this (and clearly, we really should be providing endpoints).

#7

Is there OAuth functionality/documentation available now?

How would you recommend I actually use login keys for this? We will have several different internal users of this tool and I expect we’ll be limited by the 1 logstream per account limit. That’s why I was hoping to make it easy for individual users to log in with their own account.

The tool is really just a bunch of simple Javascript in an HTML page. There is no backend service or database and it’s really out of scope to add user management on our side. The tool exists to combine all our agent-related services (elastic search logs, EI logs, impCentral agent status, our agent API status, our customer database, agent API control, debugging, …)