0

I am developing an Angular application, whose purpose is to request a public API and render information in a convenient way with some graphics for our teams. In order to be able to access to this first API, I need to authenticate and get a bearer token through another one. I get the famous error about CORS as I try to authenticate to the second API:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The request works fine if I use cURL, which seems totally normal, because CORS error comes from the browser.

The problem is I am not developing this API (for authentication) so I cannot set headers to allow cross-origin requests, and of course I don't want to use the proxy solution for Angular, which only works for dev environment.

So would it be possible to make use of cURL (I mean the real command line tool) through an Angular app, by clicking on a button ? Maybe is there any npm package which makes the host use curl ?

I did not find any solution about this.

I would like to:

  • click on a button on the web app which executes a curl request on the host machine
  • after curl is done, get the body response and save it in Angular
  • parse the response, get the bearer token and use it as header for the next requests

Thank you in advance for helping.

Terry

Terry Pitz
  • 83
  • 7
  • `would it be possible to make use of cURL through an Angular app` - yes, by proxying the request from your server instead of making it client-side in JS. This is the standard approach when dealing with CORS restrictions in cases where you cannot change the response headers. – Rory McCrossan Nov 08 '22 at 10:52
  • 1
    Not in the browser no, you would need some server logic that can spawn curl. What backend are you using, as doing this in node would be pretty easy and not require curl at all. – Keith Nov 08 '22 at 10:52
  • 1
    Although, I have to say this part seems *incredibly* insecure: 'parse the response, get the bearer token and use it as header for the next requests'. Are you expecting users to provide a third-party login to you, for you to proxy so you can get ***their*** access token? If so, that is the *textbook* definition of a phishing attack. If you need to do that, then I would strongly suggest you re-evaluate what you're trying to do. – Rory McCrossan Nov 08 '22 at 10:53
  • @RoryMcCrossan for your first reply: I don't have any server, nor a database. The app only makes request on the API on the fly. Some data are stored in browser localstorage but that's it. For your second reply: this application is developed internally for our teams. The bearer I get is our bearer. The API we request is in fact from Dynatrace which is an APM solution, and we pay for the licence so there is no problem about that. Thank you still for warning. – Terry Pitz Nov 08 '22 at 11:29
  • @RoryMcCrossan I deleted the cors tag, may you please reopen the question ? Plus It is not a duplicate, at all :) The question is to know how to trigger an http request throught angular, without using the http client – Terry Pitz Nov 08 '22 at 11:40
  • You could probably use another library instead of HttpClient, but it would be largely pointless as they will all use XMLHttpRequest at the lowest level. If you're expecting a different client to work around the CORS issue, it won't. As mentioned above, and in the duplicate, the only way around a CORS issue, assuming you cannot add the headers to the response, is to proxy the request server side. If you don't have a server side, then you are SOL. – Rory McCrossan Nov 08 '22 at 11:51
  • @RoryMcCrossan I don't know what you are misunderstanding here about my question, but: 1. I know CORS issues cannot be avoided in my case, as long as I'm making the request from the browser. 2. I can *not* proxy the request with a server because as I said, there is no server. **The whole point of my question is: can I trigger a curl (cli tool) request through my app. At least it would be nice to let other people have a chance to reply to this question, assuming the duplicate post (which is actually no duplicate) does not contains this specific answer** – Terry Pitz Nov 08 '22 at 12:08
  • I thought the answer to that was clear already: no. – Rory McCrossan Nov 08 '22 at 12:09

0 Answers0