Question

165

Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response when using http get req from JS to SlackAPI

rated 0 times [ 169] [ 4] / answers: 1 / hits: 6494 / 2 Years ago, mon, february 28, 2022, 12:00:00

I understand that there are many similar questions, but I am posting this because I feel it is slightly different.

I am trying to send a GET request to the Slack API using an HTTP request.
Specifically, the code looks like the following.

import useSWR from "swr";



const useSlackSearch = (query: string) => {

  const token = process.env.NEXT_PUBLIC_SLACK_API_USER_TOKEN;

  const myHeaders = new Headers();

  myHeaders.append("Authorization", "Bearer " + token);



  const slackURL = `https://slack.com/api/search.messages?query=${query}`;



  const fetcher = async (url: string) => {

    const response = await fetch(url, {

      headers: myHeaders,

    }).then((res) => res.json());

    return response;

  };



  const { data, error } = useSWR(slackURL, fetcher, {

    revalidateOnFocus: true,

    revalidateOnReconnect: true,

  });



  if (error) {

    return console.log(`Failed to load: ${error}`);

  } else if (!data) {

    return console.log("Loading...");

  } else {

    console.log(data);

    return data;

  }

};



export default useSlackSearch;

The environments I'm using are as follows.

Device: MacBook Air

OS: macOS

Browser: Chrome

From: localhost:3000

To: Slack API html page (https://slack.com/api/search.messages)

After reading the MDN articles like below, I understood that

There is such a thing as a simple HTTP request as defined by MDN

If the request you want to send does not correspond to this simple request, the browser will send a preflight request

In the response to that preflight request, there is a header called Access-Control-Allow-Headers.

Only headers set to the value of this Access-Control-Allow-Headers header can be used as headers in the main request after preflighting.

In this case, I tried to use the Authorization header, but it was trapped by the above restriction.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

That's all I understand.
However, on the official Slack API page for the method in question, it says to specify the token in the Authorization header, so I'm having trouble.

I also don't understand how to specify the Access-Control-Request-Headers in the preflight header, as described in another questioner's thread. The reason is that the only thing that communicates to the Slack API is the browser in this case, and the only relevant source is JavaScript (React / Next.js to be exact)!

After that, I found preflight response from Slack API as follows;

access-control-allow-headers: slack-route, x-slack-version-ts, x-b3-traceid, x-b3-spanid, x-b3-parentspanid, x-b3-sampled, x-b3-flags

As I thought, I understand that Authorization is not allowed because it is not included as a value. So the question is how to solve it.

Furthermore, I found out later that the preflight request from the browser properly declared that it wanted to use Authorization as an actual request header. However, the preflight response did not contain the value.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

makaylahk

Add To Favorites

Follow

Total Points: 166

Total Questions: 94

Total Answers: 117

Location: Gabon

Member since Sat, Jul 25, 2020

4 Years ago

makaylahk questions

1 Electron store data locally without localstorage

Tue, Apr 26, 22, 00:00, 2 Years ago

1 How do I use the useState hook to change the color of my react icons to blue?

Wed, Jul 21, 21, 00:00, 3 Years ago

1 Property 'selectionStart' does not exist on type 'EventTarget'

Fri, Mar 19, 21, 00:00, 3 Years ago

1 How can I pass multiple values in a single prop in react?

Sat, Feb 27, 21, 00:00, 3 Years ago

1 Chrome extension - message port closed before a response was received

Sun, Aug 9, 20, 00:00, 4 Years ago

View All

answered 2 Years ago clifford · Accepted Answer

Following CBroe's advice, I was able to contact the Slack help center directly, so I asked this problem. What I found out as a result is that HTTP requests from browsers are not supported as of the end of February 2022. Of course, they have received quite a lot of requests regarding this, so they hope to address it at some point.

This time, the browser sent Access-Control-Request-Headers:Authorization in the preflight request. But the Slack API server side did not allow the Authorization header in the request from the browser. Therefore, Authorization was not set in the Access-Control-Allow-Headers in the preflight response from the Slack API side.

As a result, the response from the Slack API side returned Invalid Auth, even though Authorization was added as a header when making an actual request from the browser.

Through this error, I gained a deeper understanding of HTTP requests such as CORS and preflighting, but since it is not explicitly written on the official Slack website, I left it here.

What is Preflight: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

What is Access-Control-Allow-Header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

What is CORS simple request: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests