Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can I use an app token to access Jira Cloud from a JavaScript fetch?

Tim Graboski
Tim Graboski June 7, 2019

When I make a GET request via Postman to

https://<my-company>.atlassian.net/rest/api/2/search

I get back a list of issues as expected. When try to make the same request in chrome using javascript, I get back an empty response with a 200 status.

Here's my JS:

const token = btoa("<username>:<app token>"); // base64encode basic auth token
const URL = `https://<my-company>.atlassian.net/rest/api/2/search`;
const response = await fetch(URL, {
  headers: {
    Authorization: `Basic ${token}`
  }
});

I am running this from localhost:8080 in case that matters.

If I use an incorrect access token I get a 401 error as expected. If I use an incorrect url I get a 404 as expected. I can only assume it's something to do with CORS, since I'm pointing at the right address, I have correct authentication, and I can get back a response in postman.

How do I successful query issues from Jira cloud using javascript in a browser (not nodejs)?

Answer
Watch
Like Peter DeGraw likes this
3672 views

1 answer

0 votes
Dario B
Dario B
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 11, 2019

Hi @Tim Graboski ,

 

This question has already been answered in the below thread in the Atlassian developer community:

......

 We actually do support CORS requests when using https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/ 15, as your requests will go through api.atlassian.com 2 were token based authentication is the only thing we allow.

For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.

The alternative is to proxy your requests through your own backend....

.....

 

Also, for the future, you might have better luck asking this kind of questions in the developers' community :) 

 

I hope this helps.

 

Cheers,
Dario

View More Comments
Tim Graboski
Tim Graboski June 11, 2019

Thanks for the reply. I totally didn't notice this forum isn't for developers; my bad. If I understand the post, this means I must use the oauth flow for this type of web-based request?

Like
Dario B
Dario B
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2019

You are very welcome :) 

Also, in order to answer your question, you are correct: out-of-the box CORS request are only supported when using OAuth 2.0 (3LO) for apps.

However, there are also ways to achieve this by proxying your requests, for example by using something like:

  • CORS Anywhere  (a NodeJS proxy which adds CORS headers to the proxied request)

 

Please let me know if you have further questions or accept the answer otherwise.

 

Dario

Like
Aleksandr Gembinski
Aleksandr Gembinski April 22, 2020

Atlassian should make that more clear that browser requests are blocked. Why show us working demos in Postman and Curl, when we really need to do this via JS in the browser in the real word. I am not going to run an app in terminal window. Why tease us with a functionality that doesn't actually exist? Especially after we told our boss it was working in Postman and should be just a little more time before it's working in the app.

Yet if i drop it in the url in the top of the browser it just returns all the data with no checking of password or anything. 

Like # people like this
Dario B
Dario B
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 24, 2020

Hi @Aleksandr Gembinski ,

As already mentioned this is not the right place to discuss development related issues, you should go to the Developers Community instead.

 

However, as already explained:

  1. This limitation is in place in order to increase the security of your site:
    The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.
  2. You can always workaround this limitation by proxy-ing your requests using something like CORS Anywhere .

 

Most likely there also other ways to achieve your goals and you may want to check possible alternative approaches with the other developers in the Developers Community.

 

Also, if you can get results by writing the REST API endpoint in the browser address bar there are only 2 possibilities:

  1. You have already accessed your Jira site in another browser tab/window and therefore the same session is used (no need to re-authenticate)
  2. That specific endpoint can also be called as an anonymous user (this is usually mentioned in the documentation)

If it's none of the above you should provide more details so that we can further investigate.

 

 

Cheers,
Dario

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events