Hi! When calling the Nuki Bridge, I’m getting back a CORS error:
Access to XMLHttpRequest at 'http://192.168.178.85:8080/lockAction?nukiId=517134628&action=3&ts=2020-10-15T17:52:25.400644Z&rnr=16808&hash=df3a5634e50889cb9d5068aefa377fd9374df47e84c70295eb1152e1d2e26308' from origin 'http://localhost:4000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Am I missing something or does the bridge need to set this header?
Edit: My request is executed as wished, I just cannot read the response.
Why did you not make the request from the server site?
The Client only goes to localhost an the server proxies the request to the bridge. This has also the benefit that the token must not be in the readable client code.
BTW: if you post here, you should not post the token or hash or nukiids.
thanks for your response! I’d like to make the request from the server, however that’s currently not possible because of the way the network is built.
I don’t see any issues sending the action link to the clients, as they only get the hash (not the token) and it doesn’t seem to be valid for a long time. Do you think this is problematic?
Again, I will try to do everything from the server as soon as possible but currently I’d need the header to be returned. Otherwise, I cannot read the response’s body.
Ok, if you only like to Analyse the header try to make the call in the browser without an app or js call. Only the developer console, in the network tab an show the response header.
Like this: https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor/request_details
The hash: I think it‘s not impossible to brute force the token, because the salt (rnr) and timestamp are also in the request. Also this informations are not for the Public. Every time people like @MatthiasK say, please send the Nuki ID only in private messages,
Liebe Grüße, Alex