3

in my React app, I have the following API POST to allow the user to edit their profile (name and image).

  static updateProfile(formData, user_id) {
    const request = new Request(`http://localhost:4300/api/v1/profiles/${user_id}`, {
      headers: new Headers({
        'Authorization': getBearerToken()
      }),
      mode: 'no-cors',
      method: "POST",
      body: formData
    });

    return fetch(request).then(response => {
      return response.json();
    }).catch(error => {
      return error;
    });
  }

The problem with the above is the header with the Authorization token is not being sent in the POST...

How can I get the Authorization header to be send in the fetch request above?

FYI, for non-multipart forms, the authorization token is sent successfully like so:

  static loadProfile(user_id) {
    const request = new Request(`http://localhost:4300/api/v1/profiles/${user_id}`, {
      headers: new Headers({
        'Authorization': getBearerToken(),
        'Accept'       : 'application/json',
        'Content-Type' : 'application/json',
      })
    });

    return fetch(request).then(response => {
      return response.json();
    }).catch(error => {
      return error;
    });
  }
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
AnApprentice
  • 108,152
  • 195
  • 629
  • 1,012

2 Answers2

9

You can’t use no-cors mode if you set any special request headers, because one effect of using it is: it tells browsers to not allow your frontend JavaScript code to set any request headers other than CORS-safelisted request-headers. See the spec requirements:

To append a name/value pair to a Headers object (headers), run these steps:

  1. Otherwise, if guard is "request-no-cors" and name/value is not a CORS-safelisted request-header, return.

In that algorithm, return equates to “return without adding that header to the Headers object”.

Authorization isn’t a CORS-safelisted request-header, so your browser won’t allow you to set if you use no-cors mode for a request. Same for Content-Type: application/json.

If the reason you’re trying to use no-cors mode is to avoid some other problem that occurs if you don’t use, the solution is to fix the underlying cause of that other problem. Because no matter what problem you might be trying to solve, no-cors mode isn’t going to turn out to be a solution in the end. It’s just going to create different problems like what you’re hitting.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
  • Can I turn re enable cors and then send the header along w multipart form data? – AnApprentice Jun 25 '17 at 16:00
  • 1
    Yes, you should be able to just remove `mode: 'no-cors'` and make the request. If when you do that you get some different error message, then you probably want to update your question to include whatever other error message you get without `mode: 'no-cors'`, and then we could try to find a solution to that problem. – sideshowbarker Jun 25 '17 at 16:03
-1

By using below code you can make a fetch request with Authorization or bearer

    var url = "https://yourUrl";
    var bearer = 'Bearer '+ bearer_token;
    fetch(url, {
    method: 'GET',
    withCredentials: true,
    credentials: 'include',
    headers: {
        'Authorization': bearer,
        'X-FP-API-KEY': 'iphone',
        'Content-Type': 'application/json'}
    }).then((responseJson) => {
        var items = JSON.parse(responseJson._bodyInit);
    })
    .catch(error => this.setState({
    isLoading: false,
    message: 'Something bad happened ' + error
    }));
Pankaj Bhardwaj
  • 2,081
  • 1
  • 17
  • 37