$.ajax is not including Bearer if called from HTML

Hi

I am working on some security updates, that involves locking down some RED.httpAdmin endpoints.

RED.httpAdmin.get(
			'/zwave-js/cfg-version',
			RED.auth.needsPermission('flows.read'),
			function (req, res) {
				delete require.cache[require.resolve('zwave-js/package.json')];
				const ZWaveJSPackage = require('zwave-js/package.json');
				res.json({
					zwjsversion: ZWaveJSPackage.version,
					zwjscfgversion: ZWaveJSPackage.dependencies['@zwave-js/config'],
					moduleversion: ModulePackage.version
				});
			}
		);

This is called upon from oneditprepare

$.ajax({
			url: '/zwave-js/cfg-version',
			cache: false,
			dataType: 'json',
			method: 'GET',
			success: function (data) {
				$('#MOD_Version').val(data.moduleversion);
				$('#ZWJS_Version').val(data.zwjsversion);
				$('#ZWJS_CFGVersion').val(data.zwjscfgversion);
			}
		});

however, it seems this does not include the Bearer token, In the header - and of course we get 401 Unauthorized .

I read you setup the ajax framework to include the Bearer?
Am I missing something?

Other $.ajax calls do include the header - i.e. in my js file that drives a custom UI tab,
this seems to be limited to the HTML file -> oneditprepare

Thank you please!

Do not start the URL with a /.

If a user has set httpAdminRoot to move the editor to a different path, you need to make your request relative to the current page and not assume it is served from /

That might also solve the bearer token issue.

Well well well, that worked!

Thanks Nick - Much appreciated

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.