Setting 'User-Agent' header causes error in browser.

[brewnerd]

Particle.request() and downloadFirmwareBinary() explicitly set the 'User-Agent' string. This isn't allowed in the web browser (see http://stackoverflow.com/questions/7210507/ajax-post-error-refused-to-set-unsafe-header-connection). The API calls works fine if this code is removed.

[brycekahle]

Thanks for the bug report! I'll see about making this conditional, and if not, removing it altogether.

[brewnerd]

Thx bryce.

[dgsmith]

I'm getting this as well in Chromium with particle.login():

XMLHttpRequest cannot load https://api.particle.io/oath/token. Request header field User-Agent is not allowed by Access-Control-Allow-Headers.

Going to try removing the line that add the User Agent and give it a try.

[brycekahle]

I just released 5.2.3 which fixes this issue.

[Dimicus]

Hello @brycekahle

I might be out of line here, i just downloaded version "particle-api-js": "^5.2.6"

{
  "name": "photon",
  "private": true,
  "scripts": {
    "start": "meteor run"
  },
  "dependencies": {
    "meteor-node-stubs": "~0.2.0",
    "particle-api-js": "^5.2.6"
  }
}

---

made an easy login request
with this code

import { Template } from 'meteor/templating';
import { EventDB } from '../api/eventDB.js';
import { ReactiveDict } from 'meteor/reactive-dict';
import './body.html';

var Particle = require('particle-api-js');

var particle = new Particle();
var access_token = "";

//get access token
particle.login({username: 'email', password: 'password'})
  .then(
    function(data){
      access_token = data.body.access_token;
    },
    function(err) {
      console.log('API call completed on promise fail: ', err);
    }
  );

var pumpStuff = function(message){
  var fnPr = particle.callFunction({
      deviceId: 'jackdaniels',
      name: 'leanMachine',
      argument: message,
      auth: access_token
    });

  fnPr.then(
    function(data) {u
      console.log('Function called succesfully:', data);
    }, function(err) {
      console.log('An error occurred:', err);
    }
  );
};

exports.pumpStuff = pumpStuff;

And i get error in chrome console log

XMLHttpRequest cannot load https://api.particle.io/oauth/token. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost:3000' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.

I have been asking on the forum about it but yet not received any answer but other people have reached out to me saying they have this issue as well and it was caused from an update but they cant say which one.
Could this update have anything to do with it?

BR
Dimi

[Dimicus]

@brycekahle
I am not sure my comment above is valid. It might be so that the login needs to be called from the server part of meteor and not the client. i have not been able to varify thou. Sorry to bother you without testing enough.

/Dimi

[brycekahle]

@Dimicus I think your bug is valid. I see that superagent is setting withCredentials to true for browser requests. If the server does not respond with Access-Control-Allow-Credentials: true and a non * value for Access-Control-Allow-Origin, the browser will reject the request.

[brycekahle]

On further examination, it only sets that if withCredentials() is called, which we do not.

[Dimicus]

@brycekahle
Intresting, how come i get the issue when the only thing i do is calling the login function from particle? Will do some more test when i get some time.

Where Can i see IF the package i downloaded with npm install particle-api-Js contains this issue? Please note that other people have claimed the same i.e https://community.particle.io/t/particle-api-js-user-agent-and-cache-control-errors/20664

And some others.
So IT might be some issues
Anyway.

Br
Dimi

[brycekahle]

@Dimicus the errors in that thread are different and were fixed by the code that solved this issue. What you are experiencing is something different and I have a suspicion that it is meteor related.

[Dimicus]

I guess you are right.

Bryce. thank you very much and have a great day.
If i find anything related to this i will let you know :)

/Dimi

[brycekahle]

If you can provide a small example meteor application that demonstrates the error, I can help dig in.

[Dimicus]

Im pretty sure its meteor now.
Everything works great when i use the code in the server enviroment but if i use the same in client i get the issue.

If you want to test you can use the login example below and use it on main.js in client folder on your meteor project ( meteor 1.3 )

var Particle = require('particle-api-js');
var particle = new Particle();

particle.login({username: 'email@example.com', password: 'pass'}).then(
  function(data){
    console.log('API call completed on promise resolve: ', data.body.access_token);
  },
  function(err) {
    console.log('API call completed on promise fail: ', err);
  }
); 

Think due to 1.3 that you also need to do meteor install npm, happens alot there now so hard to follow :)

But from my point of view this is all meteor issues, or rather that you need to use credential code in the server and not client, is security :) So its more a feature that you can use it on client side.

BR
Dimi