HTTP requests in JavaScript - 'Authorization has been denied for this request'

Hi, Thank you for a great tool!
I installed server to my local server and I’m trying to get the list of questionnaires from server using javascript, but using the following code in JS it returns 401 ‘Unauthorized’ respond.

let xhr = new XMLHttpRequest(); // no arguments
xhr.open(‘GET’, ‘http://192.168.1.100:9700/api/v1/questionnaires’, true, ‘MY-API-USER’, ‘PASSWORD’);
xhr.send();

When I test connection with Postman (http://MY-API-USER:PASSWORD@192.168.1.100:9700/api/v1/questionnaires) I’m getting the list of the questionnaires without any problem,
Am I missing anything?
Thank you,
Odil

Here’s an educated guess: your password contains special characters. If so, this is a generic problem for many curl interfaces, or tools that work like curl. Read more here, and see links in the issue to StackOverflow articles that I have found useful on the topic.

Thank you, Arthur for you suggestion. But I’m not using any spacial characters in my password. I’ve already spent three days to find out solution to this problem but still I could not solve this. In my development server (Windows server 2012 R2 x64) I installed the latest build - 24505.

This is my JavaScript code (script.js):

let url = ‘http://192.168.1.100:9700/api/v1/questionnaires’;
let user = ‘User’;
let pass = ‘user2019USER’;
var auth = "Basic " + btoa(user + “:” + pass);

var xhr = new XMLHttpRequest();
xhr.open(“GET”, url, true);
xhr.setRequestHeader(“Authorization”, auth);
xhr.onreadystatechange = function () {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
console.log(xhr.responseText);
};
};
xhr.send();

I’m getting following error in Chrome console:
OPTIONS http://192.168.1.100:9700/api/v1/questionnaires 405 (Method Not Allowed)
(anonymous) @ a.js:14
192.168.1.100/:1 Access to XMLHttpRequest at ‘http://192.168.1.100:9700/api/v1/questionnaires’ from origin ‘http://192.168.1.100’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: It does not have HTTP ok status.

But if I include

xhr.withCredentials = true;

The page asks for username and password and after giving correct credential, it returns the data normally:

var xhr = new XMLHttpRequest();
xhr.open(“GET”, url, true);
xhr.withCredentials = true;
xhr.onreadystatechange = function () {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
console.log(xhr.responseText);
};
};
xhr.send();

So I am getting some problem of providing the http authentication right from the java script of the app.

I have following HTTP Response Headers in my Server:

Access-Control-Allow-Credentials
true

Access-Control-Allow-Headers
Content-Type, Authorization

Access-Control-Allow-Origin
http://192.168.1.100

Access-Control-Allow-Methods
OPTIONS, GET, HEAD

I’m sending request from http://192.168.1.100

Highly appreciate if anyone has any clue.

Odil

Hi,

Your request are blocked by CORS policy. This policy includes PORT applications, while You are allowed to only send request from the same domain as HQ running is( including port).

As a quick solutions You can try to adjust policy in web.config

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="*" />
      <add name="Access-Control-Allow-Headers" value="Content-Type" />
      <add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" />
     <add name="Access-Control-Allow-Credentials" value="true" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

This will open CORS policy for Your local installation for all domains.
If You need to specify only several one, then this can be a bit tricky. Here is answer on SO that can help: https://stackoverflow.com/a/31084417/41483

Thank you, Victor for your suggestion.

I’m already using customized web.config, and I did it using IIS user interface.

Unfortunately this didn’t solve the problem.