Basic authentication with header - Javascript XMLHttpRequest

javascript xmlhttprequest cors basic-authentication adyen
Metu picture Metu · Aug 6, 2017 · Viewed 7.8k times · Source

I am trying to access Adyen test API that requires basic authentication credentials. https://docs.adyen.com/developers/ecommerce-integration

My credentials work when accessing the API page through browser.
Authentication

But I get an 401 Unauthorized response when trying to access the API with XMLHttpRequest POST request.

Javascript Code

var url = "https://pal-test.adyen.com/pal/servlet/Payment/v25/authorise";

var username = "[email protected]";
var password = "J}5fJ6+?e6&lh/Zb0>r5y2W5t";
var base64Credentials = btoa(username+":"+password);

var xhttp = new XMLHttpRequest();
xhttp.open("POST", url, true);
xhttp.setRequestHeader("content-type", "application/json");
xhttp.setRequestHeader("Authorization", "Basic " + base64Credentials);

var requestParams = XXXXXXXX;
xhttp.send(requestParams);


Result

Result

Answer

sideshowbarker picture sideshowbarker · Aug 6, 2017

That screenshot shows “Request Method: OPTIONS”, which indicates the details displayed are for a CORS preflight OPTIONS request automatically made by your browser—not for your POST.

Your browser doesn’t (and can’t) send the Authorization header when it makes that OPTIONS request, and that causes the preflight to fail, so the browser never moves on to trying your POST.

As long as https://pal-test.adyen.com/pal/servlet/Payment/v25/authorise requires authentication for OPTIONS requests, there’s no way you can make a successful POST to it.

The reason is because what’s happening here is this:

  1. Your code tells your browser it wants to send a request with the Authorization header.
  2. Your browser says, OK, requests with the Authorization header require me to do a CORS preflight OPTIONS to make sure the server allows requests with that header.
  3. Your browser sends the OPTIONS request to the server without the Authorization header—because the whole purpose of the OPTIONS check is to see if it’s OK to send that.
  4. That server sees the OPTIONS request but instead of responding to it in a way that indicates it allows Authorization in requests, it rejects it with a 401 since it lacks that header.
  5. Your browser expects a 200 or 204 response for the CORS preflight but instead gets that 401 response. So your browser stops right there and never tries the POST request from your code.

Related questions

“Origin null is not allowed by Access-Control-Allow-Origin” error for request made by application running from a file:// URL

I'm developing a page that pulls images from Flickr and Panoramio via jQuery's AJAX support. The Flickr side is working fine, but when I try to $.get(url, callback) from Panoramio, I see an error in Chrome's console: XMLHttpRequest cannot …

Read More
Origin is not allowed by Access-Control-Allow-Origin

I'm making an Ajax.request to a remote PHP server in a Sencha Touch 2 application (wrapped in PhoneGap). The response from the server is the following: XMLHttpRequest cannot load http://nqatalog.negroesquisso.pt/login.php. Origin http://localhost:8888 is not …

Read More
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '...' is therefore not allowed access

I'm using .htaccess to rewrite urls and I used html base tag in order to make it work. Now, when I try to make an ajax request I get the following error: XMLHttpRequest cannot load http://www.example.com/login.…

Read More