Why would you need preflight when you make a fetch in the server side?

as preflight is only needed in the browser

The external API is configured so that it only returns data if I have previously sent a preflight. If I send a request (from my nextjs server) without the preflight, the request is rejected due to CORS.
The (blocked) result itself looks like this: https://pastebin.com/FeptVEtD

However: it's a publically accessable API (as you saw in my screenshots -> I got status 200 instead of 403)

well, If I am not wrong, public APIs wouldn't require preflights - I assume the external API is explicitly designed to only accept requests that mimic browser behavior

not sure why you get 403 if it's a public api. when you make a request from the browser, don't you have any auth token in your auth header?

hmm if a server can be configured like that, that could be a simple explaination.. 🤔
How to mimic browser behavior from the server?

yes, I copied the whole request and executed it from the server

@James4u How to mimic browser behavior from the server?

well actually I also meant the samething you did to make a preflight

but if you copy pasted and it didn't work, I have no clue

Yea, inside the browser that happens automatically.

When running the app locally everything works like expected. So localhost seems to be allowed. I thought about pushing that to a server to have it be localhost, but when I make my server available then it won’t be localhost anymore, right?

it won't be

yea.. I hate that...

What is the API? Do you have the docs?

server side requests never get rejected due to CORS. CORS is a browser-only thing.

I have only unoffical docs: https://github.com/discord-userdoccers/discord-userdoccers?tab=readme-ov-file#discord-unofficial-user-api-documentation

hmm ok. Why are my server side requests are rejected with 403 and when using my browser with the same details the request runs thought with status 200?

403 is not cors – cors are request failures without a status.

extremely likely you don't have the necessary cookies attached to the request.

unless the 403 response has the json saying "no preflight" in which case i'll need more information, starting with what backend is this.

I checked the request again to make sure all necessary cookies are attached and it looks like the correct ones are attached (when I copy the request parameters to my browser it works fine).

Also when I am on localhost and sending it though the server the request will also respond with data (status 200). Once deployed the requests resulting in 403 errors

The backend is the discord backend. The api is not officially documented from discord. However the community made their own docs: https://github.com/discord-userdoccers/discord-userdoccers?tab=readme-ov-file#discord-unofficial-user-api-documentation

What is the specific doc you are reading to use the profile endpoint?

Tried to find, but could not find it

I am using this one (I can't link the direct topic). From these endpoints: https://github.com/discord-userdoccers/discord-userdoccers/blob/master/pages/resources/user.mdx#endpoints

This may be completely stupid, but your request is to a /profile?

Also when I am on localhost and sending it though the server the request will also respond with data (status 200). Once deployed the requests resulting in 403 errors

which means discord or cloudflare is intentionally blocking your server IP, which makes sense for them considering the amount of abusive requests they receive.

yes, I am requesting to /users/${userId}/profile

it does not make sense to send preflights from nodejs because preflight/cors is only applicable in the browser context

oh yea that makes more sense. Wouldn't my personal IP address (that I am using locally using localhost) also be blocked from them?

discord usually includes ratelimit headers in response

check for that to make sure u dont exceed them

if u fetch on the server, all headers that are usually send by a browser will not be included

so cloudflare or even discord probably is checking for that and maybe interpreting your request in a more strict way

u can always change headers on the server to mimic browser behaviour

so basically that will bypass any endpoint that doesnt require any keys and only works using the headers

u can automate this using puppeteer to request the endpoint, get the response cookies or whatever, and use that further for your serverside requests

and then just renew them once the cookie is invalid again

yes they would include some of them. I think I don't exceeded them as the error is a 403 forbidden instead of a 429 rate limiting. Maybe I read the error message wrong [(see here)](https://pastebin.com/FeptVEtD)

oh that might be a solution. I will test this on an "unpopular" server

did u solve the issue?

I am working on it.. when deploying it on my vps and running next build and next start the types (inside the tsx) are broken. But I am on it 👍

Deploying it on my own VPS (with it's own ip) worked. Thanks! 🙂