question

SAMSA Web Team avatar image
SAMSA Web Team asked David Marginian Deactivated commented

CORS domain blocked

Hi,

I am attempting to test connections in both production and testing. Both are giving me an error regarding CORS: "has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

Looking at our configuration, we have the CORS domain set properly, so I would expect for this to go through and at least get me to the next step.

Any guidance on how to address this would be appreciated.

Thanks!

-Steven Boudot

REST APIRemote Pay Cloud
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered David Marginian Deactivated edited

I don't know what "test connections" means, are you just making REST calls, are you using Remote Pay Cloud, what calls are failing? Are you sure your access token is valid? I would focus on one environment (sandbox or prod) and get that working first. The issue is likely either the access token you are using is invalid (how did you obtain it?) or there is a problem with your app's configuration (cors url).

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

SAMSA Web Team avatar image
SAMSA Web Team answered SAMSA Web Team commented

David, we're just trying to get help. To be honest, it's a bit frustrating trying to get help this way. I tried sending emails directly, but get no responses.

Is there a better way for us to share details about our circumstances so we can get our app working?

Thanks

2 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·

You can get help and provide details without sharing access tokens, your app's secret etc. You provided a lot of information but no information about the request that is failing. Is it the connection to the device? Can you provide the cloud configuration (redact any secrets, please EVEN in a private comment) you are using in a moderator's only comment?

0 Likes 0 ·
SAMSA Web Team avatar image SAMSA Web Team David Marginian ♦♦ commented ·
Ok. Please see the comment I posted a moment ago, regarding the previously answered question, and requesting/using auth token from the app's backend server. It looks like requesting the auth token in the browser, then using that token from the backend server could be the cause of our CORS error, right?

Thanks

0 Likes 0 ·
SAMSA Web Team avatar image
SAMSA Web Team answered SAMSA Web Team commented

David, is it possible that this thread is addressing our problem? https://community.clover.com/questions/17210/oauth-request-for-api-token-blocked-by-cors-policy.html

We made the call to get auth token with the browser, then pasted that token into our app on the backend server.

So, we need to have our app request the auth token, and then use that token going forward in the app for that session to avoid the CORS error we got?

Thanks



10 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·

You said you already have an access_token, so why would you be making a request to obtain one? That being said, your app is configured for testing, so I would suggest you change your OAuth response to code (Please see the App Configuration section here - https://community.clover.com/articles/23744/resolving-401-unauthorized-responses-when-making-a.html).

Do you even know what request is failing? Look at your browser's debug console and determine that, that is step 1. Since you are making a device call, and that is working I suspect the connection to the device failing (SDK call) and that you are passing in an invalid config. Make sure the cloverServer url you are passing is "https://www.clover.com", note, the www is important and necessary (https://docs.clover.com/docs/cloud-sdk-v3#option-2-cloud-pay-display)

0 Likes 0 ·
SAMSA Web Team avatar image SAMSA Web Team David Marginian ♦♦ commented ·
Ok. Will pick up the discussion and testing tomorrow. Thanks for the help
0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ SAMSA Web Team commented ·
Ok, I will be out most of the day tomorrow but will check back when I can (very early morning or end of day, or this weekend). Please see my updated comment above for some other ideas on what the problem could be.
0 Likes 0 ·
SAMSA Web Team avatar image SAMSA Web Team David Marginian ♦♦ commented ·
Yes, we have the base URL set correctly. The docs make that clear.


We're struggling to understand how the Clover API flow is supposed to work, trying to follow the "moving to production" docs. Our impression is that whereas Sandbox has a static auth token for development, production requires us to obtain a new auth token each time we open a new connection to the Clover, which makes sense for security.

Honestly we're not sure of the intention of setting Oauth to code. When we do that, I see we get code back, but what are we supposed to do with that code? I thought we're just trying to authenticate, and then operate our application. But, I will review the configuration section of that thread per your instructions to see if it can help.

I really wish there was someone we could chat with briefly to get us in the right direction. Pretty sure we're about there, but frustratingly stumbling in the dark, making tiny steps forward each day. It really lengthens the development process.

Thanks for your help

0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ SAMSA Web Team commented ·

Ok, let's go back to step 1, look in your browser's network tab, and find the call that is failing and provide it to me.

The OAuth flow is the same in sandbox and production. Once you have the code, you will obtain an access token using that code, your app's secret and your app's id, this is step 3 of the OAuth flow - https://docs.clover.com/docs/using-oauth-20#step-3-request-an-api-token.. Once you have the token you can securely store it, if your merchant isn't going to be re-authing (logging in to their Clover dashboard).

0 Likes 0 ·
Show more comments
SAMSA Web Team avatar image
SAMSA Web Team answered David Marginian Deactivated commented

Steve Here:

We have gotten an api token on the server to connect our device to the app. When we send our request after getting the API token we receive:

Access to XMLHttpRequest at 'https://www.clover.com/v2/merchant/{merchant_id}/remote_pay?access_token={token}' from origin 'https://intranet.samsa.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

In our App REST Configuration settings, we have the CORS Domain set as https://intranet.samsa.com. We would think this would be what we need to indicate that requests from intranet.samsa.com can go through.

In addition, we did a test in browser to get the device id and were successful in getting this. However, we are sending the same requests from the server and are getting a 401 Unauthorized when trying to get devices. We can confirm that we are getting an access token and are passing that in our call. This isn’t the real problem though as we have the device ids that we obtained from the browser. Our real problem is the CORS issue identified above.

Any guidance on our next step would be appreciated.


Thanks for your time!


6 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·
However, we are sending the same requests from the server and are getting a 401 Unauthorized when trying to get devices.

If you are passing the same token, and the request is the same this doesn't make sense.

Send me the URL, the merchant id, your app id and the configuration you are using to connect to the device via the Remote Pay Cloud SDK in a moderator's only comment (select "Viewable by all users" below the submit button). DO NOT POST THE ACCESS TOKEN you are using.


0 Likes 0 ·
SAMSA Web Team avatar image SAMSA Web Team David Marginian ♦♦ commented ·

Thanks for your help, David. Steve and I may be like ships passing today - both busy. But just to make sure context is set here:

  1. We're able to complete all steps in the browser down through getting Oauth Access_Token, and using that to obtain the Device ID for the merchant.

  2. Of course, when we try to use that Access_Token and Device ID we got in the browser to start a REST dialog on the server (hard coding in the values), we get a CORS error. We're assuming this is because we got the token and Id from workstation then tried to use on the backend app server.

  3. So, using we've replicated the process we used via browser into our app on the server. We're logging into the Merchant Clover account (not developer account), and clicking our App in the left-hand nav. We are redirected to our app as expected, and in the URL we are able to gather the Merchant ID and code as expected. We assume this is Steps 1 and 2 in the Oauth process per https://docs.clover.com/docs/using-oauth-20

  4. Using CURL in our app, since we've gathered Merchant ID and Code, we can try step 3 in the Oauth process, requesting API token. This is successful.

  5. Now that we have the API token generated on the app server via CURL, and since we know the device id (which we think is static and it was gathered via browser), we're trying to start a REST dialog, and getting the CORS error Steve referenced above. We don't understand this, as we're sending the request from our app server, which is the same as the CORS domain we have set in the APP, in our developer settings. That domain is https://intranet.samsa.com

  6. We thought we'd also try to make a request for Device ID from the app server via CURL, and oddly we're getting the 401 unauthorized from https://www.clover.com/v3/merchants/76T6A835W7J7P/devices?access_token=<Access_Token>

Just wanted to fill in some context to make sure you're getting the full picture. Appreciate your help.

Mike

0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ SAMSA Web Team commented ·

1) "We're able to complete all steps in the browser down through getting Oauth Access_Token". You should be obtaining the access token from your server, not from a browser.

5) CORs is enforced by the browser. Getting a "CORs error is not possible if you are making the request from your server.

I just looked at your app - "SAMSA POS", it has a single permission - Read Payments. So, seeing a 401 is the expected response since your app does not have the necessary permissions. You really need to test your app in Sandbox, get the permissions set correctly, and then move to production when you have everything working. Please note, when you modify the permissions on your app you will need to uninstall/re-install the app and obtain a new access token. Please see - https://community.clover.com/articles/23744/resolving-401-unauthorized-responses-when-making-a.html for more information.


0 Likes 0 ·
Show more comments
SAMSA Web Team avatar image
SAMSA Web Team answered

Perhaps we should focus on getting sandbox working again before moving to production. It was working and was approved with the existing permissions - a video of the app working was required for approval. Not sure why we're having so many problems getting into production, but getting working in sandbox would likely be a good thing prior to forging again on production.

On the CORS error - I'll have to let Steve fill us in on how that's technically occurring. Our PHP and javascript application on our web server is making the calls, but could be via CURL which may account for the CORS error. We can send you screenshots/video if you like, so you can see it happening on our side. Maybe that will point you/us to where the misunderstanding is.

Thanks

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

SAMSA Web Team avatar image
SAMSA Web Team answered

Thanks, David. We'll do that.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

SAMSA Web Team avatar image
SAMSA Web Team answered David Marginian Deactivated edited

Hi again David,

This is Steve again.

I am doing more testing and am still running into CORS issues.

I am attempting for our testing server and development application. We have generated and received a working access token from the server. However, we are still getting the following error when trying to connect from the server with the access token:

Access to XMLHttpRequest at 'https://sandbox.dev.clover.com/v2/merchant/{merchant_id}/remote_pay?access_token={access_token}' from origin 'http://199.167.252.243' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

However, I can confirm the access token is valid as I do a test request of getting devices for a merchant using that access token and get results in the browser. Get a "401 unauthorized" message when trying from a CURL call on the server.

I can also confirm in our testing CORS domain is set:

Site URL: http://199.167.252.243/samsa-intranet/www/pos/

CORS Domain: http://199.167.252.243


Any insight into this would be helpful. It feels as though requests from the server are still getting blocked on the clover side even with this setting in place. If I am misinterpreting this error in any way though please let me know.

Thanks for your help!

-Steve

3 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·

Hi Steve, as I have previously requested, you need to send me the connection configuration you are using to connect to the device (redact the access token please).

"However, I can confirm the access token is valid as I do a test request of getting devices for a merchant using that access token and get results in the browser. Get a "401 unauthorized" message when trying from a CURL call on the server."

The above doesn't make sense.

0 Likes 0 ·
SAMSA Web Team avatar image SAMSA Web Team David Marginian ♦♦ commented ·

David,

Below is the configuration settings we have for connecting. We are using the library provided here to establish connect: https://github.com/clover/remote-pay-cloud-examples.. I have redacted the access token as requested, but included the merchant/device as that is part of the information requested. If that wasn't needed please disregard.

config['applicationId'] = 'PKJNAYFPJ4NWP.SSS7MR8F3YQ62';

config['accessToken'] = 'current_access_token'

config['cloverServer'] = 'https://sandbox.dev.clover.com/';

config['merchantId'] = 'W7A825FJQKAW1';

config['deviceId'] = '546dd471-4667-6134-c73c-efa121e8dd4c';


What I'm trying to say with the statement that didn't make sense to you is I am able to generate an API token on the server which I feel is valid because I can take that access token and make an API call from my browser (not the server) and get a result set requesting the list of devices tied to the merchant. With this call in the browser, I can see the device and get the id. However, when run from the server, I receive a 401 unauthorized response. Just trying to convey that the API token is valid because I wouldn't be able to get that device list in my browser if it wasn't. If I'm misunderstanding though please let me know.

Thanks!

-Steve

0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ SAMSA Web Team commented ·

What doesn't make sense is you saying a request from the browser works, but the same request from the server doesn't. There is obviously a difference in the requests. I can't tell you what that difference is because I am not the one initiating the requests. Your cloud configuration seems ok (assuming the merchant and device id is correct). Are you passing the same token that you are using for the successful request to obtain the devices (fyi if the devices request is working from the browser then this is not a cors issue, however, when the token doesn't have the proper permissions you may see a cors error)? What permissions does your sandbox app have? Have you modified the permissions? If you have you need to uninstall and reinstall the app from the dash board and then obtain a new token.

0 Likes 0 ·
SAMSA Web Team avatar image
SAMSA Web Team answered David Marginian Deactivated commented

Hi, David. Helping Steve out here...

Pretty sure I can uninstall the app from our sandbox account. How do we reinstall it, as this is a private javascript cloudpay app, not an app that's installed via market?


Thanks

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community