Endpoint access

Siobhan · September 3, 2024, 3:33pm

I made a vuejs face recognition and wanted to send an encode_image and employee_id, i already made api in my attendance module:

from trytond.wsgi import app
from trytond.pool import Pool
from werkzeug.wrappers import Response
from flask import request, make_response

@app.route('/face_recognition/create', methods=['POST', 'OPTIONS'])
def create_face_record():
    if request.method == 'OPTIONS':
        response = make_response('')
        response.headers['Access-Control-Allow-Origin'] = '*'
        response.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS'
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
        return response

    data = request.json
    employee_id = data.get('employee_id')
    face_encoding = data.get('face_encoding')

    if not employee_id or not face_encoding:
        return {'error': 'Missing employee_id or face_encoding'}

    try:
        FaceRecognition = Pool().get('face.recognition')
        record = FaceRecognition.create_face_record_api(employee_id, face_encoding)
        response = {'success': True, 'record_id': record.id}
    except ValueError as e:
        response = {'error': str(e)}

    # Header CORS
    resp = make_response(response)
    resp.headers['Access-Control-Allow-Origin'] = '*'
    resp.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS'
    resp.headers['Access-Control-Allow-Headers'] = 'Content-Type'
    return resp

but i got this denied access error:

Traceback (most recent call last):
  File "/home/name/.virtualenvs/project/lib/python3.10/site-packages/werkzeug/serving.py", line 370, in run_wsgi
    execute(self.server.app)
  File "/home/name/.virtualenvs/project/lib/python3.10/site-packages/werkzeug/serving.py", line 331, in execute
    application_iter = app(environ, start_response)
  File "/home/name/tryton/trytond/trytond/wsgi.py", line 204, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/name/tryton/trytond/trytond/wsgi.py", line 210, in __call__
    return self.app(environ, start_response)
  File "/home/name/tryton/trytond/trytond/wsgi.py", line 176, in wsgi_app
    abort(HTTPStatus.FORBIDDEN)
  File "/home/name/.virtualenvs/project/lib/python3.10/site-packages/werkzeug/exceptions.py", line 878, in abort
    _aborter(status, *args, **kwargs)
  File "/home/name/.virtualenvs/project/lib/python3.10/site-packages/werkzeug/exceptions.py", line 863, in __call__
    raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.Forbidden: 403 Forbidden: You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

i have no idea how to solve this

ced · September 4, 2024, 5:48am

It seems it is because the Origin header is not allowed. It is not the Host name and it is not in [web] cors. Or maybe the Origin header is null so in this case you must decorate the entrypoint function with @allow_null_origin from trytond.protocols.wrapper.

By the way you do not need to add support for OPTIONS in the entrypoint, trytond as a default catch all route that support them.

Siobhan · September 4, 2024, 9:51am

I alread removde the OPTIONS

and added cors in trytond.conf

[web]
listen=127.0.0.1:8002
root=/home/horse/tryton/sao
cors = http://localhost:8080/

however this still reacted like this:

Access to XMLHttpRequest at 'http://127.0.0.1:8002/face_recognition/create' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

index.js??clonedRule…e=script&lang=js:79 Error mengirim data ke Trytond:

1. AxiosError {message: 'Network Error', name: 'AxiosError', code: 'ERR_NETWORK', config: {…}, request: XMLHttpRequest, …}

xhr.js:186 POST http://127.0.0.1:8002/face_recognition/create net::ERR_FAILED

index.js??clonedRule…e=script&lang=js:58 Employee ID: 1

ced · September 4, 2024, 9:54am

Siobhan:

however this still reacted like this:

Access to XMLHttpRequest at 'http://127.0.0.1:8002/face_recognition/create' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

index.js??clonedRule…e=script&lang=js:79 Error mengirim data ke Trytond:

1. AxiosError {message: 'Network Error', name: 'AxiosError', code: 'ERR_NETWORK', config: {…}, request: XMLHttpRequest, …}

xhr.js:186 POST http://127.0.0.1:8002/face_recognition/create net::ERR_FAILED

index.js??clonedRule…e=script&lang=js:58 Employee ID: 1

I do not understand what this means but you should look at the headers of your requests and see what is the Origin.

Siobhan · September 4, 2024, 10:02am

This is the Header


Request URL:

http://127.0.0.1:8002/face_recognition/create

Request Method:

OPTIONS

Status Code:

500 INTERNAL SERVER ERROR

Remote Address:

127.0.0.1:8002

Referrer Policy:

strict-origin-when-cross-origin

I think I already deleted OPTIONS in my api.py

ced · September 4, 2024, 10:09am

Sorry but this does not look like HTTP headers.

I do not understand why you are saying that.

Siobhan · September 4, 2024, 11:03am

Sorry, you mean this?

Siobhan · September 5, 2024, 8:16am

or this?

accept:

application/json, text/plain, */*

accept-encoding:

gzip, deflate, br, zstd

accept-language:

en-US,en;q=0.9

connection:

keep-alive

content-length:

2751

content-type:

application/json

host:

127.0.0.1:8002

origin:

http://localhost:8080

referer:

http://localhost:8080/

sec-ch-ua:

"Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"

sec-ch-ua-mobile:

?0

sec-ch-ua-platform:

"Linux"

sec-fetch-dest:

empty

sec-fetch-mode:

cors

sec-fetch-site:

cross-site

user-agent:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

ced · September 5, 2024, 8:29am

We can see that the origin is different from the host, so CORS applies:

but in you configuration you put:

But cors should contain allowed origins which does not include the path. So you should use:

[web]
cors = http:/localhost:8080

otherwise with the path it does not match with the actual origin.

Siobhan · September 5, 2024, 6:39pm

I already do what you told, I added this:


[web]
listen=127.0.0.1:8002
root=/home/name/tryton/sao
cors =
       http://localhost:8080

But it keep showing this

accept:
application/json, text/plain, */*

accept-encoding:
gzip, deflate, br, zstd

accept-language:
en-US,en;q=0.9

connection:
keep-alive

content-length:
2742

content-type:
application/json

host:
127.0.0.1:8002

origin:
http://localhost:8080

referer:

http://localhost:8080/

sec-ch-ua:

"Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"

sec-ch-ua-mobile:

?0

sec-ch-ua-platform:

"Linux"

sec-fetch-dest:

empty

sec-fetch-mode:

cors

sec-fetch-site:

cross-site

user-agent:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

ced · September 6, 2024, 9:02am

You must debug in trytond/wsgi.py why it aborts with FORBIDDEN.