Hey,
we are having issue with the API when using JS to query it. It seems like the API in its current implementation with CORS does not handle pre-flight requests correctly.
The CORS pre-flight check made by the browser does an OPTIONS request on the API. But unfortunately the API does not accept this request without authentification:
~ curl -X OPTIONS -H "Origin: https://bla.foo.de" "https://librenms.foo.de/api/v0/devices/test-device/ports/xe-0%2F0%2F0:2"
{"message":"Unauthenticated."}
Unfortunately, the pre-flight check made by all common browsers are not customizable. So we cannot add the ‘X-Auth-Token’ header to this special request.
Our config:
# API CORS
$config['api']['cors']['enabled'] = true;
$config['api']['cors']['origin'] = ['https://bla.foo.de'];
$config['api']['cors']['maxage'] = '86400';
$config['api']['cors']['allowmethods'] = ['POST', 'GET', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'];
$config['api']['cors']['allowheaders'] = ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'X-Auth-Token', 'X-Request'];
$config['api']['cors']['exposeheaders'] = ['Cache-Control', 'Content-Language', 'Content-Type', 'Expires', 'Last-Modified', 'Pragma'];
$config['api']['cors']['allowcredentials'] = false;
In my eyes the API endpoint has to be modified to accept unauthenticated OPTIONS requests for the pre-flight check to work correctly.