0
function loginSuccessFn(data, status, headers, config) {
    Authentication.setAuthenticatedAccount(data.data);
    //window.location = '/';
    return $http.post('https://ap-codereview.us.oracle.com/api/json/accounts/login', 
        {'Authorization': 'Basic ' + $base64.encode('username:password')}).then(codereviewSuccessFn, codereviewErrorFn);
}

I am trying basic authentication using the $http service and I keep getting this message.

No 'Access-Control-Allow-Origin' header is present on the requested resource

How can I successfully implement basic auth in angularjs. I tried reading up some examples but I do not understand how to configure Access-Control-Allow-Origin in the http header.

I am a total newbie at authentication and would appreciate any help.

nitimalh
  • 919
  • 10
  • 26

1 Answers1

0

Access-Control-Allow-Origin is a header set by the server in the response, you do not set it client side. If the server is not set up for CORS access, then you cannot do this. Contact the server administrator to set up CORS.

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

EDIT

If JSONP is available, use that. https://en.wikipedia.org/wiki/JSONP

mofojed
  • 1,342
  • 9
  • 11
  • Is there a work around for this. I tried the same with the postman client using chrome apps and it seems to work ?! – nitimalh Jul 26 '15 at 22:04
  • 1
    Yes it will work with the Postman client, but not through a script hosted on another server (or a local server). This is part of browser security. You can disable your Chrome security to get it working: http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome Obviously this won't work if you want others to be able to use your website. You need the server to accept your server as an origin. Contact Oracle, they may have details on how to access this (enabling CORS or through JSONP or something). – mofojed Jul 26 '15 at 23:01
  • 1
    see if api serves jsonp – charlietfl Jul 26 '15 at 23:16
  • So is there a significant risk if I use Cross Origin Request Sharing instead ? I used a plugin for chrome for the same and it seemed to work pretty well. – nitimalh Jul 27 '15 at 18:17
  • 1
    Those plugins work by decreasing your browser security. If you're just using it for testing and only going to one page, then it's up to you whether it's worth the risk. See https://blog.nraboy.com/2014/08/bypass-cors-errors-testing-apis-locally/ Also, if you want to distribute your site at all, you don't want to have users disable security to use your site. Also, please look at the flagged duplicate - it has a lot of info on CORS: http://stackoverflow.com/questions/20035101/no-access-control-allow-origin-header-is-present-on-the-requested-resource – mofojed Jul 27 '15 at 18:46
  • Alright that makes sense. Would jsonp have the same security implications ? I just verified that the API does serve jsonp requests so would that be a good alternative ? – nitimalh Jul 27 '15 at 19:11
  • 1
    If the API uses JSONP, then yes you should use that. – mofojed Jul 27 '15 at 20:29
  • Thanks mofojed, jsonp seems to work well for me. – nitimalh Jul 28 '15 at 03:11