Thanks Tony!

After researching this for the better part of a whole day now, it turns out that "Cookie" being impossible to set as a header in most browsers was my true problem... I wonder if Autodesk using this header name intentionally to prevent something? 

Anyways, thanks to some help from a JavaScript/web design expert, you can get around this by using the document.cookie method to put the auth token in document cookie headers, as follows:

function fusionLogin(email,password) {
    var url = "https://mytenant.autodeskplm360.net/rest/auth/1/login";
    var payload = {
        "userID": email,
        "password": password
    };
    $.ajax({
        url: url,    
        method: "POST",
        data: payload
    }).done(function(resp){
        var cookie1 = "customer="+ resp.customerToken;
        var cookie2 = "JSESSIONID=" + resp.sessionid;
        document.cookie = cookie1;
        document.cookie = cookie2;
        getUserData(); //call second AJAX request to get the data you need
    }).fail(function(r){
        alert("Login Failed");
    });
}

Note that the subsequent $.ajax "GET" request (which will now automatically use the document cookie as a header) must include the option in BOLD for this to work (ripped that from a similar stackoverflow post):

function getUserData() {
    var url = "https://mytenant.autodeskplm360.net/api/rest/v1/users/current_user";
    $.ajax({
        url: url,    
        method: "GET",
        xhrFields: {withCredentials:true}
    }).done(function(resp){
        console.log(resp) // logs {user:{...}}
    }).fail(function(r){
        console.log("failed");
    });
}

Anyways, this seems to be working for me at the moment! Thanks again!

On second thought.... this is not entirely working.

It occurred to me that this code works ONLY if I'm logged into the tenant on another tab in the same browser session!

The second I close the tab with the logged in tenant, the ajax request fails once again.  It turns out that adding the keys to document.cookie does nothing at all -- it was was xhrFields: {withCredentials:true} that allowed this to work, but I'm still screwed if I close the logged-in tab.

I'm stumped and don't know a whole lot about what's going on between tabs here... help?

Hi,

Forget what I wrote, from documentation of document.cookie, your implementation seems ok by doing twice the document.cookie = 

You seem to have a small issue with your logic here:

        document.cookie = cookie1;
        document.cookie = cookie2;

Your document.cookie is first set to cookie1 but gets "overwritten" by cookie2 on you second line.

I think you need to concatenate cookie1 and cookie2 together and set document.cookie with the concatenated result. Something like this:

        document.cookie = cookie1 + ";" + cookie2;

Dany Poudrier

PLM Product Manager

Hi,

From your comments, it seems that the login may not even be successful...

Can you check the resp.authStatus value?  

Example login response:

{
    "userid": "bloggsj",
    "sessionid": "A22C16C47EDD06390A45C6F3C4A8A918",
    "customerToken": "MYTENANT",
    "authStatus": {
        "id": "200",
        "description": "LOGIN_OK"
    }
}

 That seems to fit the symptoms you are describing (that it only works when you are logged in from another tab)...

Dany Poudrier

PLM Product Manager

I think it is logging in properly, actually.

Added console.log(resp.authStatus) in the .done() block, and I get the following in the console:

{id: 200, description: "LOGIN_OK"}

I receive a token in the full response as well.

I'm concerned that it's a problem with Autodesk choosing the "Cookie" key for their authorization token.  I'm not much of an expert in this stuff, but it seems to me that Autodesk might consider allowing the token in the "Authorization" key as well?

Because the more I look into this, the more unlikely it seems that I'll be able to make an AJAX request to the API through my browser at all (without logging in on a separate tab, that is):

http://stackoverflow.com/questions/17847283/cookie-header-in-phonegap-refused-to-set-unsafe-header-c...

http://stackoverflow.com/questions/33143776/ajax-request-refused-to-set-unsafe-header

On the other hand I'm surprised nobody else has come across this issue -- is nobody else accessing the Fusion API through their own domain?

Hi Martin,

Can you be a little more specific? Maybe a short block of code? I've been trying to add the JSESSIONID to the header in a number of different ways, and they're all failing... 

function fusionLogin(email,password) {
    var url = "https://mytenant.autodeskplm360.net/rest/auth/1/login";
    var payload = {
        "userID": email,
        "password": password
    };
    $.ajax({
        url: url,    
        method: "POST",
        data: payload
    }).done(function(resp){
        $('#login-overlay').hide();
        $('#sidenav').removeClass('hidden');
        var cookie1 = "customer="+ resp.customerToken;
        var cookie2 = "JSESSIONID=" + resp.sessionid;
        document.cookie = cookie1; //document.cookie adds cookie1 to document
        document.cookie = cookie2; //document.cookie adds cookie2 to document
        var c = document.cookie; 
        console.log(c); //customer=MYTENANT; JSESSIONID=A015010DE40990EA580202B2CE8A7F47.web14
        console.log(resp.authStatus); //200 OK
        getUserData(); //GET /users/current_user (FAILS)
        getProjectData(); //GET /workspaces/97/items (FAILS)
    }).fail(function(r){
        console.log(r);
        alert("Login Failed");
    });
}

Hi Johnny,

Can you try to set another cookie (for testing)?

var cookie3 = "token="+ resp.customerToken;
document.cookie = cookie3;

The reason I am asking is that I see in the documentation and during my tests that the endpoint is using also "token" as cookie name.

Moreover, Have you tried to add the crossDomain flag? 

xhrFields: {
    withCredentials: true
},
crossDomain: true,

Dany Poudrier

PLM Product Manager

Hey Danny,

I did actually notice that myself, and tried it earlier, but it doesn't seem to make a difference. I did add the "crossDomain: true", as you advised (request still fails).

It also occurred to me that setting "document.cookie" may not actually be affecting the request header cookie at all. 

After clearing the browser cache, and then using the same above code for the AJAX request (with document.cookie = cookie1; document.cookie=cookie2), I checked the failed request again through the chrome debugger:

Request Headers

Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:excludeweekends=no
Host:XXXXXX.autodeskplm360.net
Origin:http://localhost:5000
Referer:http://localhost:5000/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/5
37.36

As you can see, the authorization cookies actually aren't present in the request after all (not sure what excludeweekends=no is, or how IT got there)... if I log into my tenant on another tab however, and then refresh the request, those cookies are suddenly present, and the request is successful.  It seems like the Fusion server is the only thing that can set a cookie in a request?

Hello Johnny,

I created a web server and started playing with your code. I included one of our architect to decipher what what your issue.

It should have been obvious but I was so close to the tree that I didn't see the forest: What you are asking is cross domain script access to a session cookie.

This is something that we do not allow (actually most website don't allow) as it opens a breach for cross-site scripting attacks (XSS).

So what you are doing is forbidden for security reasons.

The proper way would be to have your server as proxy to get the call from your client and the server will do the call to login and fetch the right information via the REST API of Fusion Lifecycle.

This blog post is a good article on why we are not allowing it (we protect via the httponly attribute of the cookie).

Dany Poudrier

PLM Product Manager

---

@dany.poudrier wrote:

 

 

So what you are doing is forbidden for security reasons.

 

The proper way would be to have your server as proxy to get the call from your client and the server will do the call to login and fetch the right information via the REST API of Fusion Lifecycle. 

 

---

Awesome... glad you've figured it out!

So, specifically, which part of what I'm doing is forbidden? Having my client make the HTTP request? (sorry, I'm pretty new to this whole CORS/XSS thing) I don't fully understand why the API calls work when the cookie is set by logging in on another tab.

Can you maybe provide a bit of pseudo-code to help out with the next step here? I've been using a localhost (and occasionally a firebase.google deoployment) server to test my code, which I sort of assumed was working as a proxy anyhow (clearly I'm way off here).

You're the man, Dany. That's a great summary -- sounds like I need to take a tutorial on HTTP or something. 

Anyways, thanks for the help! I know there's lots of other changes to the API coming, so it's good to know that this type of authentication may be available sometime in the near future.  I may look in to Heroku in the meantime.

Hi Johnny,

I have perhaps an alternative that you could try. Depending on your use cases it might fit your need. 

You are using a web page to access the data, so I guess you enter your username/password in that page.  You are trying to club together the login and get of data with java script.

As mentioned, calling the login method with javascript does not store the login cookie.

However if you divide your steps into 2 steps, you can achieve what you want.

You need to have separate steps:

1- Create an HTML form that will login. Because it has 0 javascript, the cookie will stick to the session.

2- Create buttons to get the data and manipulate it using Javascript. (using the xhrFields: {withCredentials: true} ).

Here is a form that I used to login.  Note that on press of the submit, the target redirect to a dummy IFrame. You could also do target="_blank" to send to another tab. After login you can call any of Fusion Lifecycle endpoint.

Using  enctype='application/json' makes the payload json format so it is what the server expects and method=POST is also what server expects. 

<form name = "formlogin" id="formlogin" action="https://previewcpdmadskpo.autodeskplm360.net/rest/auth/1/login" enctype='application/json' method="POST" target="responseframe">

  Username:<br>
  <input type="text" name="userID"><br>
  Password:<br>
  <input type="text" name="password">

  <input type="submit" value="Submit">
	
</form>

<iframe width="0" height="0" border="0" name="responseframe" id="responseframe"></iframe>

I still believe it is better that you handle the information on the server, but has you wait for our new APIs to be available, you can have fun with this.

Dany Poudrier

PLM Product Manager