Do you use or administer OpenEMR? Take the General Satisfaction Survey to help improve the product

API CORS woes in production

Situation

I have a proof of concept I’m working on and I plan on using openemrs API to load some data into my app but I still can’t get away from the dreaded CORS issues.

Here’s what I’ve tried so far:

I’ve tried editing httpd.conf adding

  Header always set Access-Control-Allow-Origin "*"
  Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
  Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
  Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
  Header always set Access-Control-Max-Age "600"

  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} OPTIONS
  RewriteRule ^(.*)$ $1 [R=200,L]

I tried just adding just these lines:

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

I’ve tried the same editing openemer.conf and no success I can post/get fine with postman but it just refuses to work with a fetch request via javascript, anyone have any ideas how to fix this?

OpenEMR Version
I’m using OpenEMR version from the AWS marketplace which is: Version Number: v5.0.2 (3)

Browser:
I’m using: Chrome, Firefox

Operating System
I’m using: Windows

Logs
What makes this more bizarre is that I can login via my app using the API but any other calls afterward return the CORS issue, here are the last few lines of my access.log where you can see me login in and getting the facility list via postman that works fine.

162.158.123.250 - - [14/Nov/2020:18:15:04 +0000] "POST /apis/api/auth HTTP/1.1" 200 385 "-" "PostmanRuntime/7.26.5"
162.158.123.250 - - [14/Nov/2020:18:15:04 +0000] "POST /apis/api/auth HTTP/1.1" 200 385 "-" "PostmanRuntime/7.26.5"
162.158.123.250 - - [14/Nov/2020:18:15:16 +0000] "GET /apis/api/facility HTTP/1.1" 200 576 "-" "PostmanRuntime/7.26.5"
162.158.123.250 - - [14/Nov/2020:18:15:16 +0000] "GET /apis/api/facility HTTP/1.1" 200 576 "-" "PostmanRuntime/7.26.5"
162.158.123.16 - - [14/Nov/2020:18:15:17 +0000] "POST /library/ajax/execute_background_services.php HTTP/1.1" 200 - "https://openemr.er365pr.com/interface/main/tabs/main.php?token_main=qCtSmrIIWHXyMzhhCwvUddvijbbOSnAdyHp8xZFO" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:17 +0000] "POST /library/ajax/execute_background_services.php HTTP/1.1" 200 - "https://openemr.er365pr.com/interface/main/tabs/main.php?token_main=qCtSmrIIWHXyMzhhCwvUddvijbbOSnAdyHp8xZFO" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:17 +0000] "GET /interface/main/tabs/timeout_iframe.php HTTP/1.1" 200 195 "https://openemr.er365pr.com/interface/main/tabs/timeout_iframe.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:17 +0000] "GET /interface/main/tabs/timeout_iframe.php HTTP/1.1" 200 195 "https://openemr.er365pr.com/interface/main/tabs/timeout_iframe.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:17 +0000] "POST /library/ajax/dated_reminders_counter.php HTTP/1.1" 200 - "https://openemr.er365pr.com/interface/main/tabs/main.php?token_main=qCtSmrIIWHXyMzhhCwvUddvijbbOSnAdyHp8xZFO" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:17 +0000] "POST /library/ajax/dated_reminders_counter.php HTTP/1.1" 200 - "https://openemr.er365pr.com/interface/main/tabs/main.php?token_main=qCtSmrIIWHXyMzhhCwvUddvijbbOSnAdyHp8xZFO" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:20 +0000] "POST /interface/main/dated_reminders/dated_reminders.php HTTP/1.1" 200 98 "https://openemr.er365pr.com/interface/main/messages/messages.php?form_active=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
162.158.123.16 - - [14/Nov/2020:18:15:20 +0000] "POST /interface/main/dated_reminders/dated_reminders.php HTTP/1.1" 200 98 "https://openemr.er365pr.com/interface/main/messages/messages.php?form_active=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
108.162.212.200 - - [14/Nov/2020:18:15:30 +0000] "POST /apis/api/auth HTTP/1.1" 200 389 "https://er365pr.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
108.162.212.200 - - [14/Nov/2020:18:15:30 +0000] "POST /apis/api/auth HTTP/1.1" 200 389 "https://er365pr.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
108.162.212.200 - - [14/Nov/2020:18:15:33 +0000] "OPTIONS /apis/api/patient HTTP/1.1" 401 - "https://er365pr.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
108.162.212.200 - - [14/Nov/2020:18:15:33 +0000] "OPTIONS /apis/api/patient HTTP/1.1" 401 - "https://er365pr.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"

I am actually able to login using the API but once I try to get patients or facilities or any other API request it just refuses to work.

Any ideas, insight, or suggestions are greatly appreciated, thanks.

Discussion on Slack suggests that the problem might be that the OpenEMR API isn’t handling CORS preflight requests. Whether it should do so or not is an open question, I suppose, but I offer https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request as an example of the desired behavior.

Posting some more findings after other things I’ve tried.

So I’m starting to think this is an actual problem with the API itself, I added my site to the docker container and modified the apache config where I host openemr on api.localhost and my react app on localhost added the headers stuff and I still get the same issue even though they are on the same exact host.

I also tried adding my app as part of the docker-compose and made a network all containers have access to and still run into the same issue :eyes: :confused:

Openemrs APIs don’t understand HTTP OPTIONS!