Javascript with fetch API : Error403 with X-Rejection-Reason:AnonymousQuotaPerDay

[jdargaud]

Hi there,

I am trying to put up a request on OPS V3.2 from a javascript application running in my browser (firefox).
I send a first request using the fetch API :

Code: Select all

fetch('https://ops.epo.org/3.2/auth/accesstoken',
  {
    method: 'POST',
    headers:{
      'content-type': 'application/x-www-form-urlencoded',
      'Authorization': 'Basic ' + window.btoa(userkey+':'+secretkey)
    },
    body: 'grant_type=client_credentials'
  }
)

which works fine, I get in a code 200 answer with an access_token .
However, when I try next to send a POST request using the same method

Code: Select all

fetch('https://ops.epo.org/3.2/rest-services/published-data/{publication}/{epodoc}/biblio',
  {
    method: 'POST',
    headers:{
      'Accept': 'application/exchange+xml',
      'Authorization': 'Bearer '+ token
    },
    body: 'EP1000000.A1'
  }
)

where token is the access_token obtained before,
I get the 403 code error with X-Rejection-Reason:AnonymousQuotaPerDay on the "pre-flight" request, i. e. when firefox tests whether the server is cross-domain compliant. Obviously, I get afterwards a networking error stating that my request does not satisfy the cross-domain policy and Firefox does not send the main request.

I get the feeling that my credentials are ok, since in the first request, I can see my email adress in the answer body (under developer.email). Then why would I be treated as anonymous?

Can anyone shed some light here ? That would be most appreciated.
Best regards,

JB Dargaud

[EPO / OPS Support]

Hi,

Your POST request seems incorrect and it seems you are not using your token in that request at all, this is why you are getting this anonymous access error.

If you want to test POST, use Developers testing console

Regards,
Vesna for OPS support

[jdargaud]

Hi there,

I do use the token in the second POST

Code: Select all

'Authorization': 'Bearer '+ token

where token is a variable whose value is the access_token.
A console log just before the request confirms this.

I managed some minutes ago to get the document, however I do not know how, I know went back to the same error message.
I tried with postman, where it works OK. I even used postman to get the token and put it hard coded in my script, to no avail. I suspect somethig is wrong with my fetch request, but I do not see what.
Maybe the application header ?
Also, I do not understand how I pass the payload of the request : a simple string in the body ?

When I will get this running, I will post a minimal working exemple to serve other users who wants to implement OPS in a javascript application.

[jdargaud]

The plot thickens...
When I try on my computer at home, I manage to fetch whatever I want. However on my computer at work, it fails with the same code.
Headers sent are identical except for the firefox version used: 60 at work and 64 at home.
To resume :

Code: Select all

function userAction ()
{
    //get access token for registration
    fetch('https://ops.epo.org/3.2/auth/accesstoken',
	  {
	      method: 'POST',
	      headers:{
		  'Content-Type': 'application/x-www-form-urlencoded',
		  'Authorization': 'Basic ' + window.btoa("appKey:secretKey")
	      },
	      body: 'grant_type=client_credentials'
	  }
	 )
	.then( //authentication fetch.then
	    (resp) => resp.json())
	.then( // json.then
	    function (data){
			getData(data.access_token);//Now that I have a token, I can send the real request
	    }
	)
    .catch(//authentication fetch.catch
	    function (error){
			console.log('error1'+error);
	    }
	)
}

And then, upon succeding in obtaining a valid token, I send the GET request:

Code: Select all

function getData(token){
    console.log('success in getting access token: '+ token);
    // true call
    fetch('https://ops.epo.org/3.2/rest-services/published-data/publication/epodoc/EP10000000.A1/biblio',
	  {
	      method: 'GET',
	      headers:{
			'Authorization': 'Bearer '+ token
	      }
	  }
	 )
	.then( //fetch 2.then
	    (resp2) => resp2.text()
		.then( //text 2.then
		    function (data){
			console.log(data);
		    }
		)
		.catch( //text 2.catch
		    function (error){
			console.log(error);
		    }
		)
	)
	.catch( //fetch 2.catch
	    function (error){
		console.log('fetch error '+error);
	    }
	)
}

For the first request, the pre-flight header is

Code: Select all

https://ops.epo.org/3.2/auth/accesstoken
Host: ops.epo.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,fr;q=0.8,fr-FR;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
Origin: null
Connection: keep-alive

For the second, it is:

Code: Select all

https://ops.epo.org/3.2/rest-services/published-data/publication/epodoc/EP10000000.A1/biblio
Host: ops.epo.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,fr;q=0.8,fr-FR;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: null
Connection: keep-alive

The only difference is that one is a POST and the other one is a GET. Both works prefectly fine with POSTMAN or the API console...
Does anyone have a insightful idea of what may cause this problem? Maybe a firewall or something?

[jdargaud]

Hi there,
I searched a little but further and now here are my symptoms: the same snippet either works or not due to external circumstances...
Below is a minimal working exemple. It is a simple html page with a button. When clicking on it, it executes embedded javascript code with fetch API.

Code: Select all

<!DOCTYPE html>
<head>
</head>
<body>
	<div>
		<button value="toto" onClick="userAction()">Mon gros bouton</button>
	</div>
	<script>
    /* javascript */
function userAction ()
{
	// ID et Pwd
	var myID = myID';
	var myPwd = 'password';
	
	var appNumber = "EP1000000A1";
       //get access token for registration
		fetch('https://ops.epo.org/3.2/auth/accesstoken',
		{
			method: 'POST',
			headers:{
			'Accept' : 'application/json',
			'Content-Type': 'application/x-www-form-urlencoded',
			'Authorization': 'Basic ' + window.btoa(myID+':'+myPwd)
			},
			body: 'grant_type=client_credentials'
		}
		)
		.then( //authentication fetch.then
			(resp) => resp.json())
		.then( // json.then
	    function (data){
			getData(data.access_token, appNumber);
			return;
	    }
	)
    .catch(//authentication fetch.catch
	    function (error){
			console.log('error '+error);
			alert("Hum...");
	    }
	)
}

function getData(token, application){
    console.log('success in getting access token: '+ token);
    // true call
    fetch('https://ops.epo.org/3.2/rest-services/published-data/publication/epodoc/biblio',
	  {
	      method: 'POST',
	      headers:{
			'Content-Type': 'text/plain',
			'Authorization': 'Bearer '+ token
	      },
		  body: application
	  }
	 )
	.then( //fetch 2.then
	    (resp2) => resp2.text())
	.then(
		function (data){
		\\do something with your data
		}
	)
	.catch( //text 2.catch
	    function (error){
		console.log(error);
	    }
	)
}
/* #javascript */
	</script>
</body>
</html>

Sometimes it works OK, sometimes it simply doesn't.
The preflight request of the second fetch XHTTP request does not comply with CORS policy. And the error message suggests that I am not authenticated. However, as it is a pre-flight request, one should not be authenticated, since one only wants to know whether cross domain request are allowed.
Below is the answer header with the 403 error code.

Code: Select all

HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: *
Content-Type: application/xml
Date: Mon, 04 Feb 2019 12:50:53 GMT
X-EPO-Client-IP: ***********
X-EPO-Forwarded: ***********
X-Rejection-Reason: AnonymousQuotaPerDay
Content-Length: 207
Connection: keep-alive

I found out that there were users of OPS with the same IP but a different acocunt (they are from a different company). I wonder if there are any limitations to the number of users per day on the same IP ?
And if I use their credentials, the code still fails...

I am at a loss. Please anybody?

[EPO / OPS Support]

Hi,

I don't think that other users would result into you getting anonymous quota per day error. You would get error that your daily or hourly quota is reached if more users would be taking too much data. Also, there is a consumption app that you can use in OPS (see OPS documentation). OPS is also not set on a level of IP, this would be the case for “manual” users in Espacenet, but not in OPS.

Maybe a fellow user of OPS reading this would be able to suggest how to avoid issues that you experience when working from your office.

ANY IDEA ANYONE??

Regards
Vesna for OPS forum