Search code examples
javascriptcorsuipathpreflight

Orchestrator Authentication not working with Javascript XHR request

I try to build a website where I can internally control our UiPath Orchestrator. We are using an on-premise Orchestrator.

The connection was firstly tested in Postman/curl:

curl --location --request POST '{{url}}/api/Account/Authenticate' \
--header 'Content-Type: application/json' \
--data-raw '{
    "tenancyName": "{{tenantName}}",
    "usernameOrEmailAddress": "{{usernameOrEmailAddress}}",
    "password": "{{password}}"
}'

This gives me back the authtoken without any issue. Perfect.

Then I tried to implement that curl as XHR in Javascript:

var data = JSON.stringify({"tenancyName":"...","usernameOrEmailAddress":"...","password":"..."});
      var xhr = new XMLHttpRequest();
      xhr.withCredentials = true;
      xhr.addEventListener("readystatechange", function() {
        if(this.readyState === 4) {
          console.log(this.responseText);
        }
      });
      xhr.open("POST", "https://.../api/account/authenticate");
      xhr.setRequestHeader("Content-Type", "application/json");
      xhr.send(data);

But Firefox and Chrome are trying to preflight. So I get a 404 statuscode back:

Firefox:

firefox

Chrome:

chrome

I'm confused now how to fix it. Actually it is obviously a CORS issue. So I tried to set:

<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />

on our IIS7 server. Without any change.

Also I tried to set this setting to allow everything on the Node.js server and on the XHR request. But 404 stays.

Then I tried using Chrome and Firefox Plugins to disable CORS. But 404 stays.

And again in Postman it works perfectly since the first try. So it just a CORS issue. But I want to let CORS enable, maybe just configure it in a way that specific server are allowed. How to do that?

Solution

  • Another solution is to disable cors on IIS10.

    But be sure that this is only for testing and only kind of secure when you run it non-public! Later you should enable it again and restrict to your used domains.

    First install the Cors module.

    And the second step is adding this line to the web.config file of the IIS10 server:

    <configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="*">
            <allowHeaders allowAllRequestedHeaders="true" />
          </add>
        </cors>
    </system.webServer>
</configuration>