Community discussions

MikroTik App
 
supermew
just joined
Topic Author
Posts: 3
Joined: Sat Apr 15, 2017 10:38 pm

Rest API CORS

Sun Mar 27, 2022 12:21 am

Hi,

I'm building a custom web frontend for configuring router os devices using their new rest API.
Is it somehow possible to set CORS headers for the www-ssl to allow HTTP requests directly from a custom-built website without an intermediate backend?
 
TheNetworkALCOHOLIC
just joined
Posts: 2
Joined: Wed Jan 26, 2022 3:37 pm

Re: Rest API CORS

Mon May 09, 2022 11:19 am

Have you got any luck? seems like intermediate backend is needed.
 
TheNetworkALCOHOLIC
just joined
Posts: 2
Joined: Wed Jan 26, 2022 3:37 pm

Re: Rest API CORS

Mon Jul 04, 2022 7:32 pm

I found a solution if yousing webpack or vite, just put a proxy set secure to false and changeorigin to true. it'll work!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Rest API CORS

Mon Dec 05, 2022 10:09 pm

I wrote a Dockerfile for /container that can do this using NGINX official container with CORS reverse proxy configuration. If it helps, see my forum posting:
"Mginx" Container - Reverse Proxy for CORS & X.509 support using Nginx

edit: I need to proofread my posts, "X.509" not X506, and "wrote"
 
xsmael
just joined
Posts: 10
Joined: Wed May 15, 2019 6:33 pm

Re: Rest API CORS

Wed Dec 21, 2022 5:16 pm

I found a solution if yousing webpack or vite, just put a proxy set secure to false and changeorigin to true. it'll work!
Would you please give more details about how you did it? i need something of the like.
 
pjkundert
just joined
Posts: 7
Joined: Tue Aug 18, 2009 5:48 am

Re: Rest API CORS

Fri Sep 29, 2023 5:13 pm

Wow, lack of CORS in the REST API really limits its utility!

We deal with hundreds of remote Routeros devices, connected via ZeroTier links.

Instead of our status web page being able to directly access the devices, we have to shuttle requests through a centralized CORS proxy.

Super inefficient, slow and wasteful...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Rest API CORS

Fri Sep 29, 2023 6:29 pm

Wow, lack of CORS in the REST API really limits its utility!
Yup. It really open some possibilities. "Wasteful" is a good term.

I have long wanted to include a static .html page in a branding kit, with some JS to directly invoke RouterOS from the page – no backend required, no container, and everything be local to CPE. But the lack of even a CORS "same-origin" mean some backend and/or CORS reverse proxy is required.

I did put in a formal feature request (SUP-99112) a while back, and got a "we will see what can be done here" a while back – so semi-positive news. Specifically I purposed have a checkbox to enable in /ip/services with along with list FQDNs for the "allowed origins" returned by REST API to maintain CORS's schemes*. On client-side, still have to the CORS dance (e.g. includeCredentials: true etc in fetch()/XMLRequest/etc) - but those are solvable. The lack of CORS headers being returned from REST server is not.

* there are many CORS rules on client side, so cors-allowed-origin header cannot be "*" when using credentials & RouterOS requires creds (e.g. basic auth)...so REST API have to deal with the origins somehow
 
maxinieto
just joined
Posts: 2
Joined: Wed Aug 16, 2023 10:05 pm

Re: Rest API CORS

Sat Dec 09, 2023 2:12 pm

I found a solution if yousing webpack or vite, just put a proxy set secure to false and changeorigin to true. it'll work!

How did you do it? I am stuck with my react app
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Rest API CORS

Sat Dec 09, 2023 7:16 pm

If you look at the post above the one you quote...
seems like intermediate backend is needed.

The choice of client-side framework doesn't change how a web browsers enforce CORS. So unless Mikrotik adds CORS support, there is no way for client-side JavaScript to directly use fetch() or XMLHttpRequest() — React framework nor packaging tools can not change it.

Now nodejs does NOT enforce CORS rules. And Vite is just a development nodejs server, so that's an option. But any backend will do (e.g. Express, Hapi, etc. or some serverless lambda). Key is the rest api calls to RouterOS happen in the nodejs backend, not the front-end JS/HTML – but the frontend must use that "intermediate backend" (e.g. a nodejs-based HTTP server) to reach the router REST API.

Who is online

Users browsing this forum: diamuxin and 29 guests