0

My restler 3 api works fine on local test server and works fine on production server if calls from that same server, but if I make the call remotely then it fails.

Using the same rest client with the luracast online examples it works fine with remote call so must be something in my configuration (either my api or my production server).

I found mention of need to send headers and so tried adding these headers to index.php file:

header('Access-Control-Allow-Origin:  *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, PATCH, DELETE');
header('Access-Control-Max-Age: 1000');
header('Access-Control-Allow-Headers: *');

But that didn't help. Using RESTClient addon in firefox, I can see that those headers are sent, and the browser will show the data both locally and remotely, whether I use those header commands or not.

Here's a sample call: https://api.masterpiecesolutions.org/v1/artists/?key=A4oxMOYEUSF9lwyeFuleug==

My index.php for that call uses this, with 2nd param to map to root level

$r->addAPIClass('Artists', '');

Don't know if that is relevant.

Also, the production server is Amazon EC2, so perhaps has something to do with security policy?

Or, maybe it's some other header issue? In google chrome, using Advanced Rest Client extension, it gives status of 403 Forbidden and Content-Type is text/plain (whether using local or remote server) so it won't work at all, unlike the firefox addon.

I also see use of $_SERVER['HTTP_ORIGIN'] in Restler.php, and this doesn't appear to be supported everywhere yet?

monsur
  • 45,581
  • 16
  • 101
  • 95
twiddly
  • 11
  • 7

2 Answers2

1

* is not a valid value for the Access-Control-Allow-Headers response header. You need to list out every non-simple request header. For example:

header('Access-Control-Allow-Headers: Content-Type');

Also consider putting a single origin value or just * for the Access-Control-Allow-Origin header. I just visited your sample url and there are multiple values in that header. Although this should work according to the CORS spec, it is not very widely adopted yet.

Lastly I noticed that the server was setting Access-Control-Allow-Credentials: true. If you set this to true, then you also need to do two other things:

  1. The value of the Access-Control-Allow-Origin header must be the value of the Origin (e.g. http://localhost, it can not be *).
  2. You will need to set xhr.withCredentials = true; in your JavaScript client code.

If you are just testing, you should try to get things working without setting the Access-Control-Allow-Credentials header. It will make things easier to debug.

monsur
  • 45,581
  • 16
  • 101
  • 95
  • Thanks, I set Access-Control-Allow-Credentials to false and Access-Control-Allow-Origin to * but still no luck. I commented out the code in Restler.php that is setting these headers and set them manually in the index.php file of the API. Seems I must be missing something in either Restler or server configuration because my test rest client works fine making remote calls to the Restler 3 examples on Luracast server. – twiddly Mar 11 '13 at 12:45
1

The problem, for me at least, was using SSL and the restclient class didn't accommodate that.

So I added (to my RestClient.class.php from phpclasses.org) curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, false); // for SSL and now it works.

Also required was setting public static $crossOriginResourceSharing = true; in Defaults.php for Restler 3.

twiddly
  • 11
  • 7
  • Just FYI: if you are using curl internally you do not need CORS support at all. CORS is only needed for in browser cross domain requests – Arul Kumaran Mar 14 '13 at 13:37