For many years now, as a hobby, I’ve been working on a web based app that provides a UI for SmartThings devices, and it has worked really well using my (now grandfathered) PAT.
Yesterday, I suddenly started getting 204 errors for every request, indicating to me perhaps Samsung made a change as to how it handles CORS allowed hosts?
After reading a lot, I switched over and implemented an Oauth app via the ST CLI, got an access token that way, and get the same result when using that key as I do my PAT.
All these keys (multiple PATs, and an oauth2.0 generated token) still work fine for making calls in something like Postman, but they’re blocked out from being used on the web, when they worked fine Tuesday morning.
Any info on what changed or how I can reformat my requests to get data once again would be appreciated!
Hi, @patrickcentral
So, you’re getting the Access Token correctly, meaning the OAuth flow is completed successfully.
But then, you try to make a call to the API, and you get this error, right?
Can you share the complete call you’re trying to perform, please?
I’ve seen this before when trying to make a call from the front end (instead of a server in the backend), is this where you’re trying to make the call?
Thanks for the fast response. Yes, I am trying to make this call from javascript in the browser front-end. It’s a common error for good reason for many APIs, but SmartThings has not had any issue with it for years and now all of a sudden it’s chucking errors.
Here’s an example GET call (I split the headers bit into its own function normally because it’s repetitive, but am simplifying here while including everything for clarity) - config is an object with the token pulled from localstorage, deviceID is deviceID, capabilitiy is something like battery, temperatureMeasurement, etc
let rootURL = “https://api.smartthings.com/v1/devices/” + deviceID + “/components/main/capabilities/” + capability + “/status”; let options = new Object(); let headers = new Headers(); headers.append(“Content-Type”,“application/json”); headers.append(“Accept”, “application/json”); headers.append(“Authorization”,"Bearer " + config.app.token); options = { method: 'GET', headers: headers, redirect: 'follow' } fetch(rootURL, options)
Again, this has been working fine since…2018? Whether from localhost in a browser or running off a Progressive Web App hosted online and saved to a mobile device’s home screen. Tuesday afternoon it’s like ST just changed their CORS rules all of a sudden.
As the tokens and API work fine in Postman, I have to assume it’s not some silent rate limit or other kind of ban on me in particular.
Thank you for the information, @patrickcentral
I’ll share this case with the engineering team to get their feedback. Once I hear from them, I’ll let you know.