Request blocked by CORS

Hi Guys,

We’re building an app for monday.com and we’ve hit a problem.

Our app is attempting to exchange an authorization code for an access token, following the documentation here:

https://monday.com/developers/apps/oauth

once we have the authorization code, we post it to https://auth.monday.com/oauth2/token with client_id, client_secret and code

But we’re getting a CORS error:

Is this an issue at our end or at Monday.com’s end?

Hi @memolipd, Paolo

Although I do not know exactly the context where you are using the OAuth handshake in but I can confirm (just tested) that the Oauth handshake sequence is working for a server side app (like integrations).

Hi there @memolipd :wave:

First of all, a very warm welcome to the community! :fire: I hope you enjoy your stay.

This is something I’ll double-check with the team just to be certain, but it does seem like something might be missing on your end. I’ve done some quick searching online and found a similar issue in a StackOverflow thread here:

As soon as I get further detail from the team regarding your specific case, I’ll add more info as well.

EDIT: @basdebruin - thank you so much for testing this out on your end as well. I really appreciate you being there for other members in the community :hugs:

-Alex

this is not an integration - we’re trying to do an OAuth request to get an access token from an in-monday view.

Your SDK provides no access token for an in-monday view app to use so we’re forced complete the entire OAuth flow to get one, is there any reason you don’t provide an easier means to get an access token to the in-view client? would be very simple to do from the SDK but its missing.

We’re looking to use the in-view app to pass an access token to our API server, our API server could then decode this token with monday which would authenticate requests from the in-view app to our API server.

The CORS are set on monday.com’s server, it looks like the in-view app is posting to monday’s API server and monday’s API server is blocking it as it doesnt like the origin domain

@memolipd

Hi there!

If you are looking to get a token from a View/Widget, you can use:
monday.get('sessionToken').then(res => { });

This will return a token that is encoded using your CLIENT_SECRET

It is available using the monday SDK

This token will allow you to make API calls on behalf of the logged-in user as well. When you use the mondayClient without adding a token (View/Widget only) this is the token that the SDK will use.

That way you don’t need to follow an oAuth process

3 Likes

@mitchell.hudson thanks for jumping in and sharing your expertise here :slight_smile: I appreciate it.

@memolipd did Mitchell’s suggestion help? Please let us know :slight_smile:

-Alex

Yep thanks - We’re passing the session token now which is working.

We’d prefer an access token with a refresh token as this will allow our API to access monday.com API on behalf of the user without any input from the user (IE offline analysis) but for now the session token helps us with authorising requests.

1 Like

@memolipd thanks for confirming, I am really glad to hear everything is sorted out. I appreciate your feedback as well - I’ll pass that to the development team to discuss :slight_smile:

Nicely done with solving this one, Mitchell. You’re awesome :sunglasses:

-Alex

so a little update,

On the client we’re getting the session token and passing it as a header to our API server,

The API also has the SDK setup and we’re running monday.setToken('mytoken') to auth the lib and then make some requests on the users behalf.

Problem is after setting the token and hitting monday.api(...) we’re getting:
{ errors: [ 'Not Authenticated' ] } Any ideas? would be great if Monday could document the best practices for using an app to bypass the Oauth flow to authenticate an API server

Hey @memolipd!

I’m not sure if you’re facing the same problem that I did or not but just in case it’s the same:
I remembered when using my token in setToken or monday.api(query, {options: {token: token}})
You don’t need to supply a token to be able to make requests on the user’s behalf.

My problem was that I got vague errors such as “not authenticated” or “validation error” which was a total head scratcher.

The solution was to set the scope of what you need. I completely forgot to update the scopes so I suggest checking them all off on the beginning. Here’s my post with the solution: Monday API SDK Not Authenticated or Graphql validation errors

Thanks Pepperaddict, we ran into that problem too - it silently failed and was a pain to figure out!

But our current issue is because we’re trying to use the token on our API server, not inside the client (where this is all handled for you)

One of the monday devs has just told me the session token will only work on client side so we’re back to the OAuth flow which is a shame.

1 Like

@memolipd

What we have done to allow for the oAuth flow in a view is open up a new window. This removes the CORS issue as it is outside the scope of the monday window.

const myWindow = window.open(API_URL+'/authorisation?token='+this.state.sessionToken, "_blank", "toolbar=yes,scrollbars=yes,resizable=yes,top=500,left=500,width=800,height=800");
var self = this;
var timer = setInterval(function() { 
      if(myWindow.closed) {
          clearInterval(timer);
          self.checkValidAccount(self.state.sessionToken);
      }
    }, 500); 

It probably isn’t the cleanest version, but it will get the job done. I know a few others that have done this as well.

I will have to check with my team as I thought we had been using the session token on our server, we may have just been using it to confirm that the request was coming from monday and not an attacker.

2 Likes

Hi All

I have just come across a CORS policy restriction as well. My use case is I am trying to get a token from an office javascript add-in, which effectively runs from within a browser object, so is sending preflight requests. The POST request itself works just fine (from postman it gives me a bearer token), but it is the OPTIONS preflight request sent by the browser window which fails.

May I know what is the CORS policy on the oauth token endpoint? from which origins is it accepting requests? Is there a way to add an eligible origin domain?

Is there another way to get an access token from a javascript application which would neither be a board view, nor a widget? I am seeing an .oauthToken method in monday-sdk-js, but it gives me an error and I can’t find any documentation on it.

Thanks