Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Endpoints >

Does Xero API have CORS headers?

Started by Chris Go -   in API Endpoints

I am able to create JS code (client-side only, no node.js, no browserify) that generates the correct url to connect to the xero api.
Heavy lifting is done by https://github.com/kjur/jsrsasign

The code that generates the URL with all the correct GET parameters is here

This code is provided by the developer community - Xero does not warrant it in any way


The url that my code comes back with looks like below:
https://api.xero.com/api.xro/2.0/Organisation?oauth_token=....&oauth_nonce=...&

Note: This code is adapted from the Google Sheets code here https://gist.github.com/jamesjryan/b0c09d4bae1a04379972

I know the URL my code is generating is correct because if I cut/paste it into a browser, it returns the XML from Xero.

However, if I put that URL (in whatever combination) inside a JQuery ajax call

This code is provided by the developer community - Xero does not warrant it in any way


it is always returning

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.xero.com/api.xro/2.0/Organisation?oauth_token= ... (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Hi

Xero API does not work with client side code. You will need something server side.

Kind Regards

Remember I consult on a per hour basis. Contact me if your need me to fix the problem. $35 per hour.

We can do a 30 min free consultation via Skype.

Henzard Kruger
Certified Advisor and Full Stack developer
Picahoo cc - 0711304241 - henzard@picahoo.co.za
Skype: henzard, Gtalk: henzardkruger@gmail.com
Quality is remembered long after the price is forgotten

I abide by the 3 message rule. After 3 messages we skype.

 

Henzard Kruger  

Thank you!.

Trying to avoid having a server ... maybe an Electron app (bypasses CORS) is the way to go. For now, will probably end up downloading manually via "Account Transactions" report and then VBA (sad)
 

Chris Go  

Hi,

Electron has 'n server side portion called Node.js just use the node js xero api code. https://www.npmjs.com/package/xero
 

Henzard Kruger  

Thanks Henzard, I have gone through every client code for Xero (php, python, node, "raw" REST, etc.) ... the last piece was getting it to work with client side JS only and CORS was the last blocking (and now "showstopper") piece. Was able to post the "get" URL generated on a browser and it works so code is correct but CORS is blocking it. JSONP doesn't work since it will ultimately need a POST.

Electron is tempting but presents other problems like no node excel library for formatting (xlsx is great but no "style" for the output) like xlsxwriter (python) or phpexcel (php)
 

Chris Go  

Hi Chris,

Can you share your use case. Obviously, having keys, secrets, etc in client side code is insecure and not something you could deploy to a public facing audience.

Thanks
Sid
 

Sidney Maestre (Community Manager)  

This is for a private application. We were planning on using Microsoft Office Add-Ins so that private key, consumer token and key will NOT be hardcoded in the client-facing code (javascript) because that will be VERY bad. Instead will be stored in localStorage (browser) that is provided by the way the "Office Add-In" works

https://dev.office.com/docs/add-ins/overview/office-add-ins
 

Chris Go  

Hi Chris,

Even with a Public App - embedding your Consumer Key and Secret would not be prudent. Unfortunately, oAuth 1.0a is not designed for client side use cases (iOS, Android, JavaScript).

We have published our roadmap on Trello - https://trello.com/b/cHoNWLSe/xero-platform-roadmap-for-developers

oAuth 2.0 is in the "cool ideas" column so not slated for development but under consideration.

Thanks
Sid
 

Sidney Maestre (Community Manager)  

Thanks for the response Sid. It isn't really a big deal. We can always get a small proxy server in between the client and Xero to get around CORS.

We ended up doing "manual" as the Report API (P&L) wasn't enough as it summarized the transactions "too much". The folks ended up wanting to report on the detailed transactions which can only be accomplished via the new report called Account Transactions .. then "Export to Excel"
 

Chris Go  

where I will get PEM_KEY key to get the values.
var PEM_KEY = '-----BEGIN RSA PRIVATE KEY-----' +
'...' +
'-----END RSA PRIVATE KEY-----';

Please, anyone reply to this request.
 

Mohammad Hussain  

Mohammad Hussain
Can you add more context to your question
 

Henzard Kruger  

I tried Xero private in google apps. Please check this.
https://github.com/elangoyuva/Xero-private-in-GAS/blob/master/Code.gs
 

Mohammad Hussain  

Already created certification from OpenSSL. But I need PEM key for RSA to use in google apps script.

I got the public key certification file and PEM folder from OpenSSL.
But I did not get like this RSA key in any file which I generated from OpenSSL.
var PEM_KEY = '-----BEGIN RSA PRIVATE KEY-----' +
'...' +
'-----END RSA PRIVATE KEY-----';

kindly give a solution for this.
 

Mohammad Hussain  

openssl genrsa -out privatekey.pem 1024
 

Henzard Kruger  

Also the code will not work is 1.0 and you need 1.2
var oauth_version = '1.0';

Maybe you can just change the variable but I will not hold my breath
 

Henzard Kruger  

thank you for your great support.

openssl genrsa -out privatekey.pem 1024

not executed in OpenSSL.

do you have any in google apps script?
 

Mohammad Hussain  

I reply for you yesterday before but not appear here,

"openssl genrsa -out privatekey.pem 1024" command not generate the file.

Already I have private.pem file in the PEM folder but it shows different formate.

Still, I did not get a solution for
var PEM_KEY = '-----BEGIN RSA PRIVATE KEY-----' +
'...' +
'-----END RSA PRIVATE KEY-----';

thank you for your reply.
 

Mohammad Hussain