Cross Origin error about awairweb HOT 6 CLOSED

This is unfortunately a recent change that Awair made (with no announcement or documentation). I will look at some possible changes I can make to handle this, but it really undermines the simplicity of the current approach. Below is the exchange I had with Awair support over the past two weeks.

Hi all,

Regarding the example response here: Awair Home & OAuth Developer APIs (getawair.com)
It shows that it has access control headers that would allow it to be called from other domains:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Accept-Encoding, Accept-Language, Host, Referer, User-Agent
Access-Control-Allow-Credentials: true

But when calling the actual API the response doesn't have these headers. So calling it via Postman works (no CORS restrictions), but when called from an actual browser (in my case via WebAssembly: AwairBlazor (smklancher.github.io)), it is blocked with a CORS error.

Is something different needed for calling the API cross domain in the browser?
Is this related to blocking the PlanetWatch mentioned on twitter or something?

Thanks for any help!
Stephen

Hi Stephen,

Engineering reports that we don’t allow cross-domain resource sharing when calling the API from a web browser. This is our security policy. The majority of our API use cases are system-to-system integration. If you want to use the browser to call the API directly, you can consider using a browser proxy.

Thanks and Breathe Easy,
Benjamin

Hi Benjamin,

Thanks for the confirmation. My project has been calling it from the browser for more than two years. So, this is a new security policy, so it would have been nice if there had been something in public documentation announcing it. As I mentioned, your developer documentation provides example API responses and these examples specifically include the headers that do allow cross domain requests. You would want to change those to align with your new policy.

But either way I appreciate the confirmation.

Thanks!
Stephen

Hi Stephen,

I'm passing on your feedback to engineers and it's really appreciated. They have mentioned an announcement coming up for any API changes. We want to be transparent and you all in the know just as much as we are!

Thanks and look out for an email in the coming weeks.
Breathe Easy,
Benjamin

from awairweb.

Argh, damn... Let's hope they provide a way to support the use of your web app.

from awairweb.

I deployed an instance of cors-anywhere to railway.app and am running the API calls through that now. I'm assuming there will never be enough traffic to go beyond railway's free usage.

Though there generally shouldn't be a need to change it, the setting should work with any CORS proxy that allows Authorization headers. The only working public one I found at the moment was thingproxy. So, for example, if my railway account hit the usage limit and I haven't gotten around to fixing it yet, the app would still be usable by changing the proxy setting to "https://thingproxy.freeboard.io/fetch/".

from awairweb.

Cool, thanks for quickly deploying this workaround. It is working now :)

By the way, are you planning to add the "Score" information? It would be very useful in case you just want a quick check the overall quality of your air.

from awairweb.

Not planning anything in general, but that's manageable enough: I've added it.

from awairweb.

This is perfect, thank you so much!

from awairweb.