Hi,
I am attempting to test connections in both production and testing. Both are giving me an error regarding CORS: "has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
Looking at our configuration, we have the CORS domain set properly, so I would expect for this to go through and at least get me to the next step.
Any guidance on how to address this would be appreciated.
Thanks!
-Steven Boudot
I don't know what "test connections" means, are you just making REST calls, are you using Remote Pay Cloud, what calls are failing? Are you sure your access token is valid? I would focus on one environment (sandbox or prod) and get that working first. The issue is likely either the access token you are using is invalid (how did you obtain it?) or there is a problem with your app's configuration (cors url).
David, we're just trying to get help. To be honest, it's a bit frustrating trying to get help this way. I tried sending emails directly, but get no responses.
Is there a better way for us to share details about our circumstances so we can get our app working?
Thanks
You can get help and provide details without sharing access tokens, your app's secret etc. You provided a lot of information but no information about the request that is failing. Is it the connection to the device? Can you provide the cloud configuration (redact any secrets, please EVEN in a private comment) you are using in a moderator's only comment?
Thanks
David, is it possible that this thread is addressing our problem? https://community.clover.com/questions/17210/oauth-request-for-api-token-blocked-by-cors-policy.html
We made the call to get auth token with the browser, then pasted that token into our app on the backend server.
So, we need to have our app request the auth token, and then use that token going forward in the app for that session to avoid the CORS error we got?
Thanks
You said you already have an access_token, so why would you be making a request to obtain one? That being said, your app is configured for testing, so I would suggest you change your OAuth response to code (Please see the App Configuration section here - https://community.clover.com/articles/23744/resolving-401-unauthorized-responses-when-making-a.html).
Do you even know what request is failing? Look at your browser's debug console and determine that, that is step 1. Since you are making a device call, and that is working I suspect the connection to the device failing (SDK call) and that you are passing in an invalid config. Make sure the cloverServer url you are passing is "https://www.clover.com", note, the www is important and necessary (https://docs.clover.com/docs/cloud-sdk-v3#option-2-cloud-pay-display)
We're struggling to understand how the Clover API flow is supposed to work, trying to follow the "moving to production" docs. Our impression is that whereas Sandbox has a static auth token for development, production requires us to obtain a new auth token each time we open a new connection to the Clover, which makes sense for security.
Honestly we're not sure of the intention of setting Oauth to code. When we do that, I see we get code back, but what are we supposed to do with that code? I thought we're just trying to authenticate, and then operate our application. But, I will review the configuration section of that thread per your instructions to see if it can help.
I really wish there was someone we could chat with briefly to get us in the right direction. Pretty sure we're about there, but frustratingly stumbling in the dark, making tiny steps forward each day. It really lengthens the development process.
Thanks for your help
Ok, let's go back to step 1, look in your browser's network tab, and find the call that is failing and provide it to me.
The OAuth flow is the same in sandbox and production. Once you have the code, you will obtain an access token using that code, your app's secret and your app's id, this is step 3 of the OAuth flow - https://docs.clover.com/docs/using-oauth-20#step-3-request-an-api-token.. Once you have the token you can securely store it, if your merchant isn't going to be re-authing (logging in to their Clover dashboard).
Steve Here:
We have gotten an api token on the server to connect our device to the app. When we send our request after getting the API token we receive:
Access to XMLHttpRequest at 'https://www.clover.com/v2/merchant/{merchant_id}/remote_pay?access_token={token}' from origin 'https://intranet.samsa.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
In our App REST Configuration settings, we have the CORS Domain set as https://intranet.samsa.com. We would think this would be what we need to indicate that requests from intranet.samsa.com can go through.
In addition, we did a test in browser to get the device id and were successful in getting this. However, we are sending the same requests from the server and are getting a 401 Unauthorized when trying to get devices. We can confirm that we are getting an access token and are passing that in our call. This isn’t the real problem though as we have the device ids that we obtained from the browser. Our real problem is the CORS issue identified above.
Any guidance on our next step would be appreciated.
Thanks for your time!
However, we are sending the same requests from the server and are getting a 401 Unauthorized when trying to get devices.
If you are passing the same token, and the request is the same this doesn't make sense.
Send me the URL, the merchant id, your app id and the configuration you are using to connect to the device via the Remote Pay Cloud SDK in a moderator's only comment (select "Viewable by all users" below the submit button). DO NOT POST THE ACCESS TOKEN you are using.
Thanks for your help, David. Steve and I may be like ships passing today - both busy. But just to make sure context is set here:
Just wanted to fill in some context to make sure you're getting the full picture. Appreciate your help.
Mike
1) "We're able to complete all steps in the browser down through getting Oauth Access_Token". You should be obtaining the access token from your server, not from a browser.
5) CORs is enforced by the browser. Getting a "CORs error is not possible if you are making the request from your server.
I just looked at your app - "SAMSA POS", it has a single permission - Read Payments. So, seeing a 401 is the expected response since your app does not have the necessary permissions. You really need to test your app in Sandbox, get the permissions set correctly, and then move to production when you have everything working. Please note, when you modify the permissions on your app you will need to uninstall/re-install the app and obtain a new access token. Please see - https://community.clover.com/articles/23744/resolving-401-unauthorized-responses-when-making-a.html for more information.
Perhaps we should focus on getting sandbox working again before moving to production. It was working and was approved with the existing permissions - a video of the app working was required for approval. Not sure why we're having so many problems getting into production, but getting working in sandbox would likely be a good thing prior to forging again on production.
On the CORS error - I'll have to let Steve fill us in on how that's technically occurring. Our PHP and javascript application on our web server is making the calls, but could be via CURL which may account for the CORS error. We can send you screenshots/video if you like, so you can see it happening on our side. Maybe that will point you/us to where the misunderstanding is.
Thanks
Thanks, David. We'll do that.
Hi again David,
This is Steve again.
I am doing more testing and am still running into CORS issues.
I am attempting for our testing server and development application. We have generated and received a working access token from the server. However, we are still getting the following error when trying to connect from the server with the access token:
Access to XMLHttpRequest at 'https://sandbox.dev.clover.com/v2/merchant/{merchant_id}/remote_pay?access_token={access_token}' from origin 'http://199.167.252.243' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
However, I can confirm the access token is valid as I do a test request of getting devices for a merchant using that access token and get results in the browser. Get a "401 unauthorized" message when trying from a CURL call on the server.
I can also confirm in our testing CORS domain is set:
Site URL: http://199.167.252.243/samsa-intranet/www/pos/
CORS Domain: http://199.167.252.243
Any insight into this would be helpful. It feels as though requests from the server are still getting blocked on the clover side even with this setting in place. If I am misinterpreting this error in any way though please let me know.
Thanks for your help!
-Steve
Hi Steve, as I have previously requested, you need to send me the connection configuration you are using to connect to the device (redact the access token please).
"However, I can confirm the access token is valid as I do a test request of getting devices for a merchant using that access token and get results in the browser. Get a "401 unauthorized" message when trying from a CURL call on the server."
The above doesn't make sense.
David,
Below is the configuration settings we have for connecting. We are using the library provided here to establish connect: https://github.com/clover/remote-pay-cloud-examples.. I have redacted the access token as requested, but included the merchant/device as that is part of the information requested. If that wasn't needed please disregard.
config['applicationId'] = 'PKJNAYFPJ4NWP.SSS7MR8F3YQ62';
config['accessToken'] = 'current_access_token'
config['cloverServer'] = 'https://sandbox.dev.clover.com/';
config['merchantId'] = 'W7A825FJQKAW1';
config['deviceId'] = '546dd471-4667-6134-c73c-efa121e8dd4c';
What I'm trying to say with the statement that didn't make sense to you is I am able to generate an API token on the server which I feel is valid because I can take that access token and make an API call from my browser (not the server) and get a result set requesting the list of devices tied to the merchant. With this call in the browser, I can see the device and get the id. However, when run from the server, I receive a 401 unauthorized response. Just trying to convey that the API token is valid because I wouldn't be able to get that device list in my browser if it wasn't. If I'm misunderstanding though please let me know.
Thanks!
-Steve
What doesn't make sense is you saying a request from the browser works, but the same request from the server doesn't. There is obviously a difference in the requests. I can't tell you what that difference is because I am not the one initiating the requests. Your cloud configuration seems ok (assuming the merchant and device id is correct). Are you passing the same token that you are using for the successful request to obtain the devices (fyi if the devices request is working from the browser then this is not a cors issue, however, when the token doesn't have the proper permissions you may see a cors error)? What permissions does your sandbox app have? Have you modified the permissions? If you have you need to uninstall and reinstall the app from the dash board and then obtain a new token.
Hi, David. Helping Steve out here...
Pretty sure I can uninstall the app from our sandbox account. How do we reinstall it, as this is a private javascript cloudpay app, not an app that's installed via market?
Thanks
1 Person is following this question.
