https://netsuiteprofessionals.com logo
Join Slack
Powered by
I created an integration / access token, followed ...
# suitescript
e
I created an integration / access token, followed all the steps to get to a Bearer Token and when I do a GET/POST etc in Postman, everything works. But when I try to do a JS Fetch with the same information, I get a 
Cross-Origin Request Blocked
error. Is this expeced?
My end goal is to use Fetch while on a Suitelet to pass information to the RESTlet. Is this possible?
s
is it an authenticated suitelet?
e
^ I can't say that it is... so I'm assuming it's not. Is there a support doc I can read to do this?
s
If it is authenticated (i.e. not 'available without login') then you can leverage the existing session.
If not, you're facing the dangerous scenarios of keeping secrets client side, regardless of CORS issues.
e
Ahh - the one I'm working with IS set to Available without Login.
So I'm building a warehouse app (similar to RF-Smart) and I want our staff to be able to use it without login (so we don't need to buy 100 extra NS user licenses). But the app needs to be able to read/write data from our NS account. Any way to do that securely?
s
one approach for this is to build the app externally then have the backend with the protected secret
e
That makes sense. So no way to do this using NS only? i.e. just Suitelets and Restlets?
s
yes, another would be to have suitelets act as your backend as well
e
Ok - I'll do more research on this. Thanks for pointing me in the right direction!
s
using Suitelets as a backend JSON API is such a common use case for us we have a prebuilt package for quickly building custom business operations in RPC style with JSON in, JSON out
I'd also build that warehouse app using Angular and connect to the backend via the Mediator (our name for this API thingie)
e
In that case, would you need a Restlet at all?
s
nope. If we're building a SPA that is authenticated, we usually use RESTlet mediator for backend, if it needs to be unauthenticated then a suitelet
e
Ah. This response ^ just save me hours of stress and hair pulling
s
If you haven't done it already, it's quite easy to make a Suitelet that expects JSON and responds with JSON
e
Just to make sure I understand this correctly, pretty much: If I need users to be able to use my "app" without a NS login, I would use a Suitelet that sends/recevies JSON (but it's not going to be Token Based or very secure) Is that correct?
s
Yes, unless you are able to do the OAuth 2 flow with user prompt for authn/authz
but in your case it looks like you're trying to minimize NS licenses
just keep in mind any operations you expose via an suitelet that does not require login can be invoked by hackers
e
Got it. In that case... im done! Lol. What you suggested is exactly what I have in place - I was just trying to increase security on it. But I do currently have some security in place (i.e. users have to login with a username and password that is stored in a custom record - and checked upon any request, and also their IP address is checked and must match the IP address of our Warehouse Wifi that is password protected, etc.)
s
others may have more to add but if you need to consume 0 licenses it means you can't leverage any of the 'real' authentication. I would recommend you have the Suitelet(s) run with restricted permissions at least.
e
👍
5 Views
Open in Slack
PreviousNext
Powered by