Help get this topic noticed by sharing it on Twitter, Facebook, or email.

API CORS Access

I'm having issues pulling from the Ecobee API via client-side Javascript (both vanilla JS and jQuery) and it looks like issues with CORS support on the Ecobee side.

I have all the keys/tokens created and working correctly when I make a request through curl, so I don't think that's causing any problems

I've tried making an AJAX call to the API, using the Javascript example in the documentaiton: https://www.ecobee.com/home/developer...

Because of CORS, adding the "Authorization" header to the request causes the browser to kick off a preflight OPTIONS request to Ecobee (details at: https://developer.mozilla.org/en-US/d...). That OPTIONS call fails with status 500 and message "Authentication failed. Token is required". I believe it's happening because the "Authorization" header itself cannot be sent on an OPTIONS request per the browser standards (tested on both Chrome and Firefox) and Ecobee is checking for that header on OPTIONS requests and erroring if it's not found. I think the Ecobee API should allow OPTIONS requests without an Authorization header as this isn't something that can be corrected on the client side.

This can be verified by a simple curl request without the Authorization header:
curl -v -s -X OPTIONS 'https://api.ecobee.com/1/thermostat?f...'

When I manually force through an OPTIONS request via curl with the Authorization header set, and my token included, I do get a valid response back, but there is no Content-Control-Allow-Origin header set which I think will also disallow CORS requests. The Ecobee API should be responding back to the OPTIONS request with a Conent-Control-Allow-Origin header allowing access outside the ecobee.com domain. That can be verified via:
curl -v -s -H 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' -X OPTIONS 'https://api.ecobee.com/1/thermostat?f...'
1 person has
this problem
+1
Reply