Soporte de The Movie Database
Soporte → Soporte de API
Can't access API anymore with Vercel proxy : Error 403 - Host not permitted
publicado por dualshoteSTAFFMOD el 20 de noviembre de 2024 a las 03:36
Hello,
Since yesterday, my production application no longer works.
I use Vercel's serverless functions as a proxy for my front-end requests to the TMDB API. This function adds the Bearer token to http headers so that users don't see my API token.
// Vercel serverless function to proxy TMDB API requests
import { createProxyMiddleware } from 'http-proxy-middleware';
import type { Request, Response } from 'express';
const apiProxy = createProxyMiddleware({
target: process.env['TMDB_API_URL'],
changeOrigin: true,
pathRewrite: {
'^/api': '',
},
onProxyReq: proxyReq => {
proxyReq.setHeader(
'Authorization',
`Bearer ${process.env['TMDB_API_TOKEN']}`
);
},
});
export default async function (req: Request<any>, res: Response<any>) {
return apiProxy(req, res, () => ({}));
}
Until yesterday, everything had been running smoothly for over 8 months.
Error logs returned by the proxy function :
[Proxy Response] {
statusCode: 403,
path: '/configuration',
headers: {
'content-type': 'text/plain',
'transfer-encoding': 'chunked',
connection: 'close',
date: 'Wed, 20 Nov 2024 08:34:23 GMT',
server: 'openresty',
'content-encoding': 'gzip',
vary: 'Accept-Encoding,accept-encoding, Origin',
'x-cache': 'Error from cloudfront',
via: '1.1 b09c8a20b29053a362f3c1085a0f8990.cloudfront.net (CloudFront)',
'x-amz-cf-pop': 'MRS52-P5',
'alt-svc': 'h3=":443"; ma=86400',
'x-amz-cf-id': 'wuVqwl7l58qHOjPJgJOfAgVIy7IMNAVgCnvhFOui9-kgrlbTQO3L9Q=='
}
}
There is a possibility that my Vercel host has been blocked ?
When i try to use TMDB API with postman or with an other proxy there is no problem.
Thanks for helping.
Contestado por Travis Bell
el 20 de noviembre de 2024 a las 11:07
Hi @dualshote,
I would assume this has to do with some security work we've been doing over the past week or so. We found an open issue where we were not enforcing the allowed host values, which could let 3rd parties masquerade as if they were the ones running
api.themoviedb.orgwith a different domain.The only way you'd be tripping over this change is if that is precisely what this proxy is inadvertently doing. Are you able to set the
X-Forwarded-Hostheader by any chance? Set it toapi.themoviedb.org, of course.Contestado por JoshuaNitschke
el 20 de noviembre de 2024 a las 12:23
Thanks, I had the same issue and adding the header fixed it for me.
Contestado por dualshote
el 20 de noviembre de 2024 a las 14:25
Hi @travisbell ,
The problem is now fixed by adding the header "X-Forwarded-Host" to "api.themoviedb.org".
https://www.movie-catalog.io/ is now online ;)
Thanks a lot for your help !
Contestado por JoshuaNitschke
el 20 de noviembre de 2024 a las 14:36
@travisbell in my app, we are still seeing some previous calls that were made earlier today without the X-Forward-Host still error when we execute with the new header being passed. Is there some caching on TMDB API that might explain that?
Contestado por Waffiq
el 21 de noviembre de 2024 a las 00:01
I recommend you to provide TMDB attributes to follow the term of use. It would be great to give credits for developers and helps people find the original resource. Source? term of use and logo.
Contestado por dualshote
el 21 de noviembre de 2024 a las 03:30
Hello @waffiqaziz ,
For sure i will provide TMDB attributes, the app is in development, not terminated ;) I had it in my todolist but I'll add it as a priority.
Thanks
Contestado por Waffiq
el 22 de noviembre de 2024 a las 09:26
glad to hear that
Nice, you can add it on about or legal page, i've notice that you have it but not yet developed
Contestado por tim_cook
el 12 de enero de 2025 a las 05:52
Hello @travisbell I'm still facing the issue even after adding the
X-Forwarded-Host. I'm hitting my AWS API gateway from postman and getting: 403 "Host not Permitted", could you please help here?Contestado por tim_cook
el 14 de enero de 2025 a las 02:06
@travisbell
I tried sending the
X-Forwarded-Hostfrom the client side, but I'm getting a 403 Host not permitted error.Apparently, I'm unable to set or modify the
X-Forwarded-Hostin my API gateway parameter mapping.When I inspected the headers forwarded by the API gateway to tmdb API, I could see the following:
Could this be the cause of the problem?
Is there any workaround I could use to resolve this issue?
Contestado por Travis Bell
el 14 de enero de 2025 a las 11:56
@tim_cook Have you tried setting your request headers as described in the API Gateway docs?
Contestado por tim_cook
el 21 de enero de 2025 a las 12:23
@travisbell Since I'm using AWS HTTP API gateway I cannot add template mapping. This issue started occurring all of a sudden. Earlier it used to work correctly without having to make any changes on the API gateway level. What specifically am I supposed to update to get this working?
Contestado por Travis Bell
el 21 de enero de 2025 a las 13:33
Ok, HTTP API Gateway. Isn't that outlined here?
Something along the lines of:
Maybe?
Contestado por tim_cook
el 23 de enero de 2025 a las 11:07
Yes, I did try updating/appending the header via parameter mapping. However, there are a few reserved headers that cannot be mutated.
From the docs (the link that you shared above)
Reserved headers
The following headers are reserved. You can't configure request or response mappings for these headers.
Is there any other workaround to this? I would greatly appreciate it.
Contestado por tim_cook
el 28 de enero de 2025 a las 10:18
@travisbell any updates on this?