Happy Business Starts Here

Highlighted
New Student

Is the Orders API CORS enabled?

Hi all - Thanks in advance for any help your help!

I'm attempting to create a new subscription via the Orders API. (The sandbox I'm using has Orders functionality enabled)

I have separately implemented the new account creation (Accounts API) and new payment method (payment-methods/credit-card API) via individual calls complete with CORS pre-flight.

For the new subscription piece I first tried to hit the api directly w/o CORS preflight. This produced an error indicating that the request was blocked due to CORS.  I then added the extra step to obtain an HMAC sig and token but the preflight fails with an error indicating the Orders API is not CORS enabled.  

Tags (2)
2 REPLIES 2
New Student

Re: Is the Orders API CORS enabled?

Some additional details:

Here is the error I get when I hit the orders API w/o preflight:

Access to XMLHttpRequest at 'https://rest.apisandbox.zuora.com/v1/orders' from origin 'http://localhost:8080' has been blocked by CORS policy: Request header field apiaccesskeyid is not allowed by Access-Control-Allow-Headers in preflight response.

and here is the error I get from the HMAC signatures API if I implement CORS preflight:

success: false,
processId: 'C33844F2DD871B4D',
reasons:
[ { code: 59010020,
message:
'\'https://rest.apisandbox.zuora.com/v1/orders\' is not allowed to call in manner of CORS.' } ]

It's as if the Orders API is and isn't CORS enabled at the same time...

 

 

New Student

Re: Is the Orders API CORS enabled?

Okay - figured this out... This issue was really just my misunderstading of CORS.  I was mistakenly thinking that non CORS enabled api's could all be hit directly from browser-based client.  After some experimentation and re-reading, I finally figured out that all of the calls need to come from the server and that CORS enablement allows calls from the client after the pre-flight token is returned.  The solution was to move the calls to non-CORS enabled APIs from the client into the server.