I am using parse.com cloud code and has a function inside, which is called using a https post call from my angularjs.
When I test the same function from POSTMAN REST client it works.
But from my domain it gives a CORS error
XMLHttpRequest cannot load api.parse.com/1/functions/sendemail. Response to preflight request doesn't pass access control check: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'crickify.com& is therefore not allowed access.
Cloud Code:
Parse.Cloud.define("sendemail", function(request, response) {
//response.success("Hello world!");
var mailgun = require('mailgun');
console.log("from parselog",request.params);
response.set("Access-Control-Allow-Origin", "crickify.com");
response.set("Access-Control-Allow-Headers", "X-Requested-With");
response.set('Access-Control-Allow-Headers', 'Content-Type');
mailgun.initialize('XXX', 'XXX');
mailgun.sendEmail({
to: "bala@mindlens.com.sg",
from: "Mailgun@CloudCode.com",
subject: "Hello from Cloud Code!",
text: "Using Parse and Mailgun is great!"
}, {
success: function(httpResponse) {
console.log(httpResponse);
response.success("Email sent!");
},
error: function(httpResponse) {
console.error(httpResponse);
response.error(httpResponse);
}
});
});
Angular Code:
$scope.sendemail = function(passedEmail) {
// body...
var email = passedEmail;
var message = {mail:email};
$http({
method: 'POST',
url: 'https://[app key]:jskey]@api.parse.com/1/functions/sendemail',
data: message
})
.success(function(data) {
console.log("Success" + data);
})
.error(function(error) {
console.log("Success" + data);
});
}
I dont know how to format my code here... so I am not posting it
Where is your Angular code running?
Is there a way for you to see where the request is coming from by looking in the request headers, specifically the origin header?
In Java I would typically do something like this while developing since the domain of origin needs to match exactly - instead of hardcoding crickify.com, insert the origin as received in the request headers:
String clientOrigin = request.getHeader("origin");
log.info("clientOrigin = " + clientOrigin);
// lock down Access Control to certain origins
if (clientOrigin != null) {
if (clientOrigin.contains("localhost") ||
clientOrigin.contains("file") ||
clientOrigin.contains("mycee.com") ||
clientOrigin.contains("10.0.0.3")) {
response.addHeader("Access-Control-Allow-Origin", clientOrigin);
}
}
Paste code, highlight the code block, hit tab, that should keep your code in the right format.
It's normal that Postman code works, since CORS issues only happen in a browser and their security sandbox (same idea, if you curl your request, it will work even though you have the error in the browser).
According to the error returned and since the authentication seems to be required, you only have two choices: - develop a proxy that will hide the authentication and route the request from the Angular front-end to parse.com - narrow your cors headers to meets the constraint exposed in the error for the Access-Control-Allow-Origin header
It would be interesting to see the OPTIONS request and response, because from the code you posted, it looks like the POST will use
response.set("Access-Control-Allow-Origin", "crickify.com");.... therefore I infer that some other code (maybe not yours, but defaults settings at Parse) would return * for the OPTIONS request. You could use Charles Proxy, Fiddler on any debug proxy t easily inspect your requests and get the complete response (browser usually hide part of the response in case of CORS errors)I don't know your time/budget constraints, but I would indeed consider moving the
app key:jskeyout of the front-end code to not expose it to anyone, and only inject them in a proxy API. Your Angular code would then call your proxy API, where you would have full control other the authentication and cors settings, and this api will route the request to Parse. It would also let you log anything that happens between your clients and Parse, to be aware if anything goes wrong or scale badly or has a dubious behavior.Hope this helps,