Enable CORS for Watson api endpoints

[Tumetsu]

Hi,

I'm developing as an exercise project a React progressive web app which would let me to input Watson data with my mobile phone by web ui. I'd like to integrate with the Crick so that I could sync my devices.

By looking the API documentation, it looks like only way to push and pull time frames can be done with watson endpoints. However, if I try to access these apis from a web page, I'll get error

Failed to load https://api.crick.io/watson/frames: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

My idea is to create a front end app without backend implementation. Would it be possible to make Watson endpoints accessible from web apps or do you think this poses unacceptable security risk?

[willdurand]

CORS is enabled, but we restrict Origin to https://app.crick.io.

I am not sure we want to allow * but if you use this project locally, you can set the CORS_ALLOWED_ORIGINS env variable to whatever you want.

[Tumetsu]

Yeah, that would solve the issue for development but unfortunately not for the production, though * for allowed origins might be bad :( I have saved my time frames to your Crick server and intended to host the web app on Github pages as a static web app so that I could access and edit my time frame data from mobile.

I suppose I either have to host my own server instance to host my data or develop a separate mobile apprather than PWA to circumvent the cors problem :/

[willdurand]

I suppose I either have to host my own server instance to host my data or develop a separate mobile apprather than PWA to circumvent the cors problem :/

I have to think more about it.

[Tumetsu]

Ok, thanks. I'll continue for now by using the local server for development as you suggested and figure later on what to do depending on what you decide.