0

I need to make a POST request with data to a URL, using TOTP (Time-based One-Time Password). I keep getting the following message from server.

========================================================

Access to XMLHttpRequest at URL from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://topic.name.com' that is not equal to the supplied origin.

========================================================

I am using otplib as library to help me generate TOTP.

  1. Setting for TOTP is 30 seconds interval (default)
  2. T0 is 0 (epoch)
  3. Digit is 10
  4. HMAC-SHA-512 algorithm

Header Requirement (specified by server):

  1. HTTP Basic Authentication, as specified in Chapter 2 of RFC2617
  2. Content-Type: 'application/json'

Below is my code so far.

import { totp } from 'otplib'
import base64 from 'base-64'
import axios from 'axios'

const request = () => {
    const URL = 'https://api.topic.name.com/topic/003'

    const info = {
        "github_url": "https://github.com/myname/topic",
        "contact_email": "myemail@hotmail.com"
    }

    const secret = 'nameTopic'
    const dataBody = JSON.stringify(info)
    const sharedSecret = info.contact_email+secret 

    totp.options = { digits: 10, algorithm: "sha512", epoch: 0}

    const newTOTP = totp.generate(sharedSecret);
    const isValid = totp.check(newTOTP, sharedSecret);

    console.log(newTOTP, isValid)

    const userPass = info.contact_email + ":" + newTOTP;
    const credential = base64.encode(userPass);

    const config = {
    headers: {
        'Content-Type': 'application/json',
        "Authorization": "Basic " + credential
        }
    };

    axios.post(URL, dataBody, config).then((response) => {
        console.log(response)
    }, (err) => {
        console.log(err)
    })
}

export default request

I really don't understand why there's a CORS issue, could it be that my headers are wrong?

Any help is greatly appreciated, thank you for your time.

dulerong
  • 231
  • 1
  • 3
  • 8
  • The browser won't let you post to a different domain unless the target domain explicitly allows it. You cannot fix it from the client; it's basic Internet security. – Pointy May 05 '20 at 02:45
  • @Pointy thanks for your comment. So this is a server-side issue which I have no control, correct? I was suspecting that, because, otherwise the server should respond with 'authorization header' not valid, or content-type not valid. At least some information should be responded to me from server, other than the access-origin not allowed. What should I do in this situation, if target-domain doesn't allow me to post? – dulerong May 05 '20 at 02:57
  • Generally people use their own servers to make proxy requests. The CORS security is purely a web browser feature. – Pointy May 05 '20 at 03:03
  • @Pointy thanks again for your comment. Currently I really need to make this POST request for specific reason. If at current the server does not allow POST from me, does that mean I should try to contact them directly by email or phone to describe this situation? Again thanks for your time. – dulerong May 05 '20 at 03:08
  • You can try that, certainly, but I wouldn't hold out much hope. – Pointy May 05 '20 at 03:22
  • @Pointy greatly appreciate your time Pointy. At this point, I'm trying to decide if it's a problem in my code, whether I specified my headers incorrectly, such as the way I generated my password. If it's something I can fix then certainly I will spend more time on troubleshooting my code, however if it's a server issue, I really don't know what to do at this moment. Thanks for your help though Pointy. – dulerong May 05 '20 at 03:25

1 Answers1

0

You should try running it on node. Place your script in an index.js file, install the dependencies and run node index.js

Did you manage to solve the challenge? I keep getting Access denied: Invalid token, wrong code even following the same code base.

a.fahmiin
  • 330
  • 3
  • 12
  • thanks for your suggestion. Right now I'm running this POST request in my App.js file (react app). I don't see why I need to run it on node, a POST request shouldn't be discriminated by how it's made, as long as it is made correctly. I haven't solved this challenge, because I keep getting blocked by CORS due to access-control-allow-origin header problem. I was told that bypassing the CORS was part of the requirement. This is very frustrating. – dulerong May 08 '20 at 12:29