$.ajax is not including Bearer if called from HTML


I am working on some security updates, that involves locking down some RED.httpAdmin endpoints.

			function (req, res) {
				delete require.cache[require.resolve('zwave-js/package.json')];
				const ZWaveJSPackage = require('zwave-js/package.json');
					zwjsversion: ZWaveJSPackage.version,
					zwjscfgversion: ZWaveJSPackage.dependencies['@zwave-js/config'],
					moduleversion: ModulePackage.version

This is called upon from oneditprepare

			url: '/zwave-js/cfg-version',
			cache: false,
			dataType: 'json',
			method: 'GET',
			success: function (data) {

however, it seems this does not include the Bearer token, In the header - and of course we get 401 Unauthorized .

I read you setup the ajax framework to include the Bearer?
Am I missing something?

Other $.ajax calls do include the header - i.e. in my js file that drives a custom UI tab,
this seems to be limited to the HTML file -> oneditprepare

Thank you please!

Do not start the URL with a /.

If a user has set httpAdminRoot to move the editor to a different path, you need to make your request relative to the current page and not assume it is served from /

That might also solve the bearer token issue.

1 Like

Well well well, that worked!

Thanks Nick - Much appreciated

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.