Rest API Post Request

Hi everyone,

As always any advice/input is much appreciated.

I am using the built in api functionality of Axelor. I am running a React project for frontend where I can successfully make a GET, PUT and DELETE request and retrieve/create/delete data using the API. However I am unable to make a POST request in the browser (as I receive a 403 error response). The strange thing is I am able to make a POST request without any issue in postman. To test I have taken the request code directly from postman and tried it in the browser - again 403 error.

I need to be able to make POST requests to update data and have been stuck with this issue for quite some time.

I am using Axios to make the requests. I can see in the network that that the JSESSIONID and CSRF token are being correctly sent in the headers.

In application properties I have cors set to *:
cors.allow.origin = *

Axios request code:

const BASE_URL = "http://localhost:8080/axelor-erp/ws/rest/";
const ITEM_LOCATION = "com.axelor.ross.db.Item";

axios.defaults.withCredentials = true;

const head = {
  "Content-Type": "application/json",
  "Accept": "application/json"
};

var body = {"data": 
    {
        "id": 185,
        "version": 5,
        "itemType": "DRINK",
        "costPrice": "0",
        "timeSold": 0,
        "price": "1.50",
        "name": "Milk"
    }
    }

return axios.post(BASE_URL + ITEM_LOCATION + "/185", body, head);

Request header being set (using developer tools):

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Content-Length: 113
Content-Type: application/json;charset=UTF-8
Cookie: JSESSIONID=00D63D123BB330A7A53C5D86ECBCC614; CSRF-TOKEN=29747775-becd-    
4b3f-8404-31396bc0bf5a
Host: localhost:8080
Origin: http://localhost:3000
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site

Again any help appreciated. Thanks in advance.

Hello
Seems to be a permission/auth filter that returns you 403
Did you properly configured the auth/permission for the Entity are you trying to post?

Hi Fabio,

Thanks for getting in touch so quick.
I may have - however I wasn’t aware particular configuration had to be done on the auth/permission for the entity to make a POST update via the API. Could you please give more info on what you mean by configure? Which auth/permission needs to be configured to? Thanks a mill, Daryl

Hi @daryl

I think these are the permission you need to double check
About this entity com.axelor.ross.db.ItemMenu

Then you need enable for your user/profile/role

Hi Fabio,

Thanks for the suggestion but this doesn’t fix the issue. As mentioned I can successfully create, read, remove and the issue lies with write ie a POST request.

Thanks again.

1 « J'aime »

So using postman OK
Setting header in the browser doesn’t work, I’m thinking there is some issue how your browser set the header.
Have you tested with curl ?

might be some technical issues but from post I see constant name not matching

can you please confirm that

Exactly, postman is ok but not the browser.

I haven’t tested with curl as I am not familiar with the technology however I will give it a try and report back to you. I’m using Chrome so I will also try in another browser today in case the results vary. Thanks for the suggestion.

Hi Siddique,

Thats a good spot but unfortunately that is just an error on my behalf when making the post here on the forum. I have updated the post.

Thanks Siddique.

where you are intercepting requests to attach the cookie ?

I am using the line above to handle cookie attachment (if this is what you meant in your question). As seen in the original post the JSESSIONID and CSRF-TOKEN are being sent in the request in the headers so to the best of my knowledge I can only assume this isn’t the issue.

#!/bin/bash
curl -c cookies.txt --location --request POST 'https://localhost:8080/login.jsp' --header 'Content-Type: application/json' --data-raw '{
    "username": "admin",
    "password": "admin"
}'
curl -b cookies.txt --location --request POST 'https://localhost:8080/ws/action' --header 'Content-Type: application/json' --data-raw '{"model":"com.axelor.meta.db.MetaView","action":"action-meta-restore-all","data":{"_domain":null,"_domainContext":{"_id":null,"_model":"com.axelor.meta.db.MetaView"},"operator":"and","criteria":[],"_signal":"restoreAll"}}'

above work painless, you are fetching cookies from login url, right ? and saving in local storage?

Yes I am fetching the cookies when I login using the same URL as you have included above:
https://localhost:8080/login.jsp

These cookies are being automatically handled by axios when using the:

axios.defaults.withCredentials = true;

I have attached the screenshot below to show the cookies are saved:

I have compared the JSESSION and CSRF token ID’s here to the ID’s for these fields being sent in the POST request and they are the same.

is there a way to inspect it, like we do developer tools ? i feel something getting lost in the flight ?
what logs you seeing in console ?

I have attached as much information as I can get using the Chrome developer tools. Thank you a thousand for helping me with this issue.

Screenshot 2021-01-10 at 14.47.44

CORS allowed ??

are you able to fetch any other model data ??

Yes CORS is allowed. The issue is strange because I can successfully make GET, DELETE and PUT requests. The only issue is with POST.

I can fetch model data.
I can delete models.
I can create data.
I cannot edit date ie POST request.

Hello @daryl
Double check.
In your 1st post you tested to push at com.axelor.ross.db.ItemMenu/… (in your postman test it works)
In the screenshot attached you are testing
com.axelor.ross.db.ItemMenu/105

Basically it’s a different endpoint maybe with different permissions.