Hi there,
Facing the following CORS issue when trying to access REST API both from a Heroku hosted React web application, and from localhost:3000
(redacted = ...)
Access to fetch at 'https://sandbox.dev.clover.com/v3/merchants/.../categories?expand=items&access_token=...' from origin '....herokuapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I have a Developer account + test Merchant set up, with the test dev application installed on the test merchant. When faced with the same CORS issue locally (while on localhost:3000), I have tried this configuration
- Site URL: http://localhost:3000/menu,
- CORS Domain: http://localhost:3000,
- Default OAuth Response: Token: Testing Only
(and reinstalled the Application on the test Merchant each time) to no avail - the OAuth cycle works (I get redirected to the correct URL with an access_token=... in the url), but making an API request with that same access_token and merchantId leads to the same CORS issue. Here are two example API calls I am trying to make.
https://sandbox.dev.clover.com/v3/merchants/.../categories?expand=items&access_token=...
https://sandbox.dev.clover.com/v3/merchants/.../items/${itemId}?expand=modifierGroups.modifiers&access_token=...
To be clear: all of these calls are being made from our frontend, with either JavaScript Fetch or Ajax. And weirdly, when I visit these endpoints directly in my browser (Chrome & Edge) and tested in Postman, I do not get that same CORS issue. Only facing it when it's called from my React code.
As this did not work either, I used local-cors-proxy to proxy my request to localhost:8010 and changed my API fetch call to:
http://localhost:8010/proxy/v3/merchants/AN32EGH84E221/categories?expand=items&access_token=d1a7036a-5889-cac9-980f-90b1e1e02f
: which did in fact work; I receive the correct payload and am able to use it across my application locally.
---
I obviously cannot proxy my request in the same way when the web-app is hosted - the REST configuration I tried for our Heroku app is this
- Site URL: ... .herokuapp.com/menu
- CORS Domain: ... .herokuapp.com
- Default OAuth Response: Token: Testing Only
Again, the OAuth seems to be functioning just fine, I am receiving the MerchantId, EmployeeId, ClientId and access_token in the URL when I hit Example OAuth Request, but making either of the API calls above leads to the same CORS issue. And again, visiting the endpoint myself either in my browser, or tested with Postman DOES show me the correct payload, it just does not work in React code.
---
I have extensively looked through the documentation and a lot of relevant forum posts, but am unable to figure this out. The documentation suggests the only API request with CORS disabled is the OAuth call to get access_token/code, but I am receiving those just fine from the URL. I think each access_token lasts for a year, so invalid tokens seem to be ruled out as well.
This forum post seems to suggest you cannot make these REST API calls from hosted/production webapps unless the actual Clover application is on the Marketplace (instead of from a developer account), but that leaves me with the same issue on localhost (I'd rather not proxy as I don't think I should be facing this issue in the first place).
I can add any missing / relevant info as requested -
Help is much appreciated, thank you for your time!
