The Movie Database-ondersteuning
Ondersteuning → API-ondersteuning
Can't access API anymore with Vercel proxy : Error 403 - Host not permitted
geplaatst door dualshoteSTAFFMOD op 20 november 2024 om 3:36 AM
Hello,
Since yesterday, my production application no longer works.
I use Vercel's serverless functions as a proxy for my front-end requests to the TMDB API. This function adds the Bearer token to http headers so that users don't see my API token.
// Vercel serverless function to proxy TMDB API requests
import { createProxyMiddleware } from 'http-proxy-middleware';
import type { Request, Response } from 'express';
const apiProxy = createProxyMiddleware({
target: process.env['TMDB_API_URL'],
changeOrigin: true,
pathRewrite: {
'^/api': '',
},
onProxyReq: proxyReq => {
proxyReq.setHeader(
'Authorization',
`Bearer ${process.env['TMDB_API_TOKEN']}`
);
},
});
export default async function (req: Request<any>, res: Response<any>) {
return apiProxy(req, res, () => ({}));
}
Until yesterday, everything had been running smoothly for over 8 months.
Error logs returned by the proxy function :
[Proxy Response] {
statusCode: 403,
path: '/configuration',
headers: {
'content-type': 'text/plain',
'transfer-encoding': 'chunked',
connection: 'close',
date: 'Wed, 20 Nov 2024 08:34:23 GMT',
server: 'openresty',
'content-encoding': 'gzip',
vary: 'Accept-Encoding,accept-encoding, Origin',
'x-cache': 'Error from cloudfront',
via: '1.1 b09c8a20b29053a362f3c1085a0f8990.cloudfront.net (CloudFront)',
'x-amz-cf-pop': 'MRS52-P5',
'alt-svc': 'h3=":443"; ma=86400',
'x-amz-cf-id': 'wuVqwl7l58qHOjPJgJOfAgVIy7IMNAVgCnvhFOui9-kgrlbTQO3L9Q=='
}
}
There is a possibility that my Vercel host has been blocked ?
When i try to use TMDB API with postman or with an other proxy there is no problem.
Thanks for helping.
Reactie van Travis Bell
op 20 november 2024 om 11:07 AM
Hi @dualshote,
I would assume this has to do with some security work we've been doing over the past week or so. We found an open issue where we were not enforcing the allowed host values, which could let 3rd parties masquerade as if they were the ones running
api.themoviedb.orgwith a different domain.The only way you'd be tripping over this change is if that is precisely what this proxy is inadvertently doing. Are you able to set the
X-Forwarded-Hostheader by any chance? Set it toapi.themoviedb.org, of course.Reactie van JoshuaNitschke
op 20 november 2024 om 12:23 PM
Thanks, I had the same issue and adding the header fixed it for me.
Reactie van dualshote
op 20 november 2024 om 2:25 PM
Hi @travisbell ,
The problem is now fixed by adding the header "X-Forwarded-Host" to "api.themoviedb.org".
https://www.movie-catalog.io/ is now online ;)
Thanks a lot for your help !
Reactie van JoshuaNitschke
op 20 november 2024 om 2:36 PM
@travisbell in my app, we are still seeing some previous calls that were made earlier today without the X-Forward-Host still error when we execute with the new header being passed. Is there some caching on TMDB API that might explain that?
Reactie van Waffiq
op 21 november 2024 om 12:01 AM
I recommend you to provide TMDB attributes to follow the term of use. It would be great to give credits for developers and helps people find the original resource. Source? term of use and logo.
Reactie van dualshote
op 21 november 2024 om 3:30 AM
Hello @waffiqaziz ,
For sure i will provide TMDB attributes, the app is in development, not terminated ;) I had it in my todolist but I'll add it as a priority.
Thanks
Reactie van Waffiq
op 22 november 2024 om 9:26 AM
glad to hear that
Nice, you can add it on about or legal page, i've notice that you have it but not yet developed
Reactie van tim_cook
op 12 januari 2025 om 5:52 AM
Hello @travisbell I'm still facing the issue even after adding the
X-Forwarded-Host. I'm hitting my AWS API gateway from postman and getting: 403 "Host not Permitted", could you please help here?Reactie van tim_cook
op 14 januari 2025 om 2:06 AM
@travisbell
I tried sending the
X-Forwarded-Hostfrom the client side, but I'm getting a 403 Host not permitted error.Apparently, I'm unable to set or modify the
X-Forwarded-Hostin my API gateway parameter mapping.When I inspected the headers forwarded by the API gateway to tmdb API, I could see the following:
Could this be the cause of the problem?
Is there any workaround I could use to resolve this issue?
Reactie van Travis Bell
op 14 januari 2025 om 11:56 AM
@tim_cook Have you tried setting your request headers as described in the API Gateway docs?
Reactie van tim_cook
op 21 januari 2025 om 12:23 PM
@travisbell Since I'm using AWS HTTP API gateway I cannot add template mapping. This issue started occurring all of a sudden. Earlier it used to work correctly without having to make any changes on the API gateway level. What specifically am I supposed to update to get this working?
Reactie van Travis Bell
op 21 januari 2025 om 1:33 PM
Ok, HTTP API Gateway. Isn't that outlined here?
Something along the lines of:
Maybe?
Reactie van tim_cook
op 23 januari 2025 om 11:07 AM
Yes, I did try updating/appending the header via parameter mapping. However, there are a few reserved headers that cannot be mutated.
From the docs (the link that you shared above)
Reserved headers
The following headers are reserved. You can't configure request or response mappings for these headers.
Is there any other workaround to this? I would greatly appreciate it.
Reactie van tim_cook
op 28 januari 2025 om 10:18 AM
@travisbell any updates on this?