0

Chrome devtools has a feature that allows to copy a request in the browser as node-fetch

enter image description here

But for some reason if I try to run this request in node it returns:

 status: 403,
 statusText: 'Forbidden'

I am by no means an expert on http requests, but what could be the issue of this? The headers sent:

 headers: {
      accept:
        'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
      'accept-language': 'de-DE,de;q=0.9,en-DE;q=0.8,en;q=0.7,en-US;q=0.6',
      'cache-control': 'no-cache',
      pragma: 'no-cache',
      'sec-ch-ua':
        '"Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"',
      'sec-ch-ua-mobile': '?0',
      'sec-ch-ua-platform': '"macOS"',
      'sec-fetch-dest': 'document',
      'sec-fetch-mode': 'navigate',
      'sec-fetch-site': 'none',
      'sec-fetch-user': '?1',
      'upgrade-insecure-requests': '1',
    },
    referrerPolicy: 'strict-origin-when-cross-origin',
    body: null,
    method: 'GET',

Can anyone refresh me on what I am missing here?

supersize
  • 13,764
  • 18
  • 74
  • 133
  • There is no cookie in the headers. Is this a website without logon? – Heiko Theißen Oct 28 '22 at 16:01
  • Typically, 403 means, the server recognized the user who is trying to do the request, nonetheless this request isn't allowed (for instance because of missing privileges). But I've also seen API returning 403 instead of 401 in a situation where authorization didn't succeed. But it's hard to give a detailed advice without knowing anything about the backend. – derpirscher Oct 28 '22 at 16:06
  • @HeikoTheißen there is a cookie also actually. But not required as it is not with a login, in any case it does not work with the cookie either. – supersize Oct 28 '22 at 16:45
  • @derpirscher well why does it work in the browser but not in node-fetch with the exact same headers – supersize Oct 28 '22 at 16:46
  • If it was the *exact same* request it would work, because the server can only act on what it receives. It doesn't care (nor does it know) whether the exact same bunch of bytes is sent by `node`, `curl` or a browser. Obviously, this are not all headers from the browser you posted here. Things like for instance the `User-Agent` or the `Origin`, which every browser sends are missing in your code (don't know whether you just didn't add them here or if they are missing in the code copied from the develeoper tools also). I've seen API which require for instance the `User-Agent` header. – derpirscher Oct 28 '22 at 16:52
  • @derpirscher thanks, it was the missing user-agent. I didn't expect it to not be in the `copy as fetch` and didn't realise until now. Maybe you wanna do an answer? – supersize Oct 28 '22 at 18:10

0 Answers0