cancel
Showing results for 
Search instead for 
Did you mean: 

CORS exeption with FSM api (https://eu.coresystems.net/)

simonsp
Discoverer
0 Kudos
398

Hello,

I'm building an extension application for FSM.

This application is hosted without authorization on SAP Cloud Foundry (Build Workzone).

In this application we call FSM api's to retrieve data.

Calls to the FSM Query API (https://eu.coresuite.com/api/) are working well.

This due to the "Access-Control-Allow-Origin: * " header.

For our usecase we try to retrieve timeslots for an actvity.

https://eu.coresystems.net/optimization/api/v3/job-slots/actions/search

This api does not return the "Access-Control-Allow-Origin" header.

Therefor causing a CORS error.

Due to not being authorized in the application we are not able to use SAP BTP Destination services.

We get 401 - not authorized.

For SAP CPI we also need a SAP User with proper roles.

We are looking for advise for the best solution for this usecase.

Maybe functionally there is another API in FSM to retrieve timeslots?

Or maybe we need to build a CAP project as reverse proxy?

Thanks in advance

Patrick Simons

Accepted Solutions (0)

Answers (1)

Answers (1)

nikhil_rane
Advisor
Advisor
0 Kudos

Hello Patrick, thanks for your question. My team handles the /job-slots/actions/search API and I would like to support you here. Couple of questions:

  • is there a business reason to host this extension on SAP CF without authorization? Are you not risking leaking data store in FSM for this customer by allowing unauthorized access?
  • which client makes the call to /job-slots/actions/search? I suspect the client's browser who loads your extension deployed in CF executes the call. Is this correct? Have you tried to move the call to the hosted extension? That should solve the problem (providing a backend for your frontend user).

CC: jose.cortes

Thank You,

Nikhil

simonsp
Discoverer
0 Kudos

Hi Nikhil,

Thanks for your response and thoughts for a solution.

1.a The customer uses FSM (Corsesystems) and uses SAP BTP. Therefore SAP BTP (CF) seems like the most logical host for an extension application.

Do you know another solution in this case? A separate hosting server feels like extra work (and maintenance).

1. b As far as I understand there is no FSM-data comming from the FSM-shell unless the user is loged in to FSM. Therefor there should be no risk for loosing unauthorised acces? As far as I understoud the documenation, the hosted extension application MUST be unauthorised, at least for the appconfig.json.

2. The CORS exception is based on the active host. In this case, since it is loaded as extension, Coresystems.net.

I have considered hosting a proxy on CF with CAP. But I have limited knowledge in this solution and thus hesitant to try to build this solution and wasting time after a couple of days if there is a better solution for this.