The Movie Database Support
Support → API-support
Can't access API anymore with Vercel proxy : Error 403 - Host not permitted
Inlagt av dualshoteSTAFFMOD den 20 november 2024 vid 3:36 AM
Hello,
Since yesterday, my production application no longer works.
I use Vercel's serverless functions as a proxy for my front-end requests to the TMDB API. This function adds the Bearer token to http headers so that users don't see my API token.
// Vercel serverless function to proxy TMDB API requests
import { createProxyMiddleware } from 'http-proxy-middleware';
import type { Request, Response } from 'express';
const apiProxy = createProxyMiddleware({
target: process.env['TMDB_API_URL'],
changeOrigin: true,
pathRewrite: {
'^/api': '',
},
onProxyReq: proxyReq => {
proxyReq.setHeader(
'Authorization',
`Bearer ${process.env['TMDB_API_TOKEN']}`
);
},
});
export default async function (req: Request<any>, res: Response<any>) {
return apiProxy(req, res, () => ({}));
}
Until yesterday, everything had been running smoothly for over 8 months.
Error logs returned by the proxy function :
[Proxy Response] {
statusCode: 403,
path: '/configuration',
headers: {
'content-type': 'text/plain',
'transfer-encoding': 'chunked',
connection: 'close',
date: 'Wed, 20 Nov 2024 08:34:23 GMT',
server: 'openresty',
'content-encoding': 'gzip',
vary: 'Accept-Encoding,accept-encoding, Origin',
'x-cache': 'Error from cloudfront',
via: '1.1 b09c8a20b29053a362f3c1085a0f8990.cloudfront.net (CloudFront)',
'x-amz-cf-pop': 'MRS52-P5',
'alt-svc': 'h3=":443"; ma=86400',
'x-amz-cf-id': 'wuVqwl7l58qHOjPJgJOfAgVIy7IMNAVgCnvhFOui9-kgrlbTQO3L9Q=='
}
}
There is a possibility that my Vercel host has been blocked ?
When i try to use TMDB API with postman or with an other proxy there is no problem.
Thanks for helping.
Svar från Travis Bell
den 20 november 2024 vid 11:07 AM
Hi @dualshote,
I would assume this has to do with some security work we've been doing over the past week or so. We found an open issue where we were not enforcing the allowed host values, which could let 3rd parties masquerade as if they were the ones running
api.themoviedb.orgwith a different domain.The only way you'd be tripping over this change is if that is precisely what this proxy is inadvertently doing. Are you able to set the
X-Forwarded-Hostheader by any chance? Set it toapi.themoviedb.org, of course.Svar från JoshuaNitschke
den 20 november 2024 vid 12:23 PM
Thanks, I had the same issue and adding the header fixed it for me.
Svar från dualshote
den 20 november 2024 vid 2:25 PM
Hi @travisbell ,
The problem is now fixed by adding the header "X-Forwarded-Host" to "api.themoviedb.org".
https://www.movie-catalog.io/ is now online ;)
Thanks a lot for your help !
Svar från JoshuaNitschke
den 20 november 2024 vid 2:36 PM
@travisbell in my app, we are still seeing some previous calls that were made earlier today without the X-Forward-Host still error when we execute with the new header being passed. Is there some caching on TMDB API that might explain that?
Svar från Waffiq
den 21 november 2024 vid 12:01 AM
I recommend you to provide TMDB attributes to follow the term of use. It would be great to give credits for developers and helps people find the original resource. Source? term of use and logo.
Svar från dualshote
den 21 november 2024 vid 3:30 AM
Hello @waffiqaziz ,
For sure i will provide TMDB attributes, the app is in development, not terminated ;) I had it in my todolist but I'll add it as a priority.
Thanks
Svar från Waffiq
den 22 november 2024 vid 9:26 AM
glad to hear that
Nice, you can add it on about or legal page, i've notice that you have it but not yet developed
Svar från tim_cook
den 12 januari 2025 vid 5:52 AM
Hello @travisbell I'm still facing the issue even after adding the
X-Forwarded-Host. I'm hitting my AWS API gateway from postman and getting: 403 "Host not Permitted", could you please help here?Svar från tim_cook
den 14 januari 2025 vid 2:06 AM
@travisbell
I tried sending the
X-Forwarded-Hostfrom the client side, but I'm getting a 403 Host not permitted error.Apparently, I'm unable to set or modify the
X-Forwarded-Hostin my API gateway parameter mapping.When I inspected the headers forwarded by the API gateway to tmdb API, I could see the following:
Could this be the cause of the problem?
Is there any workaround I could use to resolve this issue?
Svar från Travis Bell
den 14 januari 2025 vid 11:56 AM
@tim_cook Have you tried setting your request headers as described in the API Gateway docs?
Svar från tim_cook
den 21 januari 2025 vid 12:23 PM
@travisbell Since I'm using AWS HTTP API gateway I cannot add template mapping. This issue started occurring all of a sudden. Earlier it used to work correctly without having to make any changes on the API gateway level. What specifically am I supposed to update to get this working?
Svar från Travis Bell
den 21 januari 2025 vid 1:33 PM
Ok, HTTP API Gateway. Isn't that outlined here?
Something along the lines of:
Maybe?
Svar från tim_cook
den 23 januari 2025 vid 11:07 AM
Yes, I did try updating/appending the header via parameter mapping. However, there are a few reserved headers that cannot be mutated.
From the docs (the link that you shared above)
Reserved headers
The following headers are reserved. You can't configure request or response mappings for these headers.
Is there any other workaround to this? I would greatly appreciate it.
Svar från tim_cook
den 28 januari 2025 vid 10:18 AM
@travisbell any updates on this?