Orchestrator Authentication not working with Javascript XHR request

Question

I try to build a website where I can internally control our UiPath Orchestrator. We are using an on-premise Orchestrator.

The connection was firstly tested in Postman/curl:

curl --location --request POST '{{url}}/api/Account/Authenticate' \
--header 'Content-Type: application/json' \
--data-raw '{
    "tenancyName": "{{tenantName}}",
    "usernameOrEmailAddress": "{{usernameOrEmailAddress}}",
    "password": "{{password}}"
}'

This gives me back the authtoken without any issue. Perfect.

Then I tried to implement that curl as XHR in Javascript:

var data = JSON.stringify({"tenancyName":"...","usernameOrEmailAddress":"...","password":"..."});
      var xhr = new XMLHttpRequest();
      xhr.withCredentials = true;
      xhr.addEventListener("readystatechange", function() {
        if(this.readyState === 4) {
          console.log(this.responseText);
        }
      });
      xhr.open("POST", "https://.../api/account/authenticate");
      xhr.setRequestHeader("Content-Type", "application/json");
      xhr.send(data);

But Firefox and Chrome are trying to preflight. So I get a 404 statuscode back:

Firefox:

Chrome:

I'm confused now how to fix it. Actually it is obviously a CORS issue. So I tried to set:

<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />

on our IIS7 server. Without any change.

Also I tried to set this setting to allow everything on the Node.js server and on the XHR request. But 404 stays.

Then I tried using Chrome and Firefox Plugins to disable CORS. But 404 stays.

And again in Postman it works perfectly since the first try. So it just a CORS issue. But I want to let CORS enable, maybe just configure it in a way that specific server are allowed. How to do that?

Answer 1

Another solution is to disable cors on IIS10.

But be sure that this is only for testing and only kind of secure when you run it non-public! Later you should enable it again and restrict to your used domains.

First install the Cors module.

And the second step is adding this line to the web.config file of the IIS10 server:

<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="*">
            <allowHeaders allowAllRequestedHeaders="true" />
          </add>
        </cors>
    </system.webServer>
</configuration>

Answer 2

One solution is to use the non-preflight request:

  var data = "tenancyName=...&usernameOrEmailAddress=...&password=...";
  var xhr = new XMLHttpRequest();

  xhr.addEventListener("readystatechange", function() {
    if(this.readyState === 4) {
      console.log(this.responseText);
    }
  });

  xhr.open("POST", "https://url/api/account/authenticate");
  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  xhr.send(data);

As "Content-Type", "application/x-www-form-urlencoded" is one of the non-preflight we simply dodge the CORS mechanics with it. And for sure the data variable was changed so the JSON.stringify is gone now.

As the UiPath Orchestrator server is in a private Azure environment, this is not a huge security issue at all.

Anyway solutions that disable the CORS completely on the IIS7 server are still welcome.