[Timothee]

The problem I had with XMLHttpRequest was that the API would use the current Heroku cookie rather than the API token passed in with the request.

With curl, the doc says to use a blank username and the token as password in Basic Auth. When I do that with XMLHttpRequest, the token is completely ignored and the main site's cookie is used. There is no way not to pass the cookie with XMLHttpRequest unfortunately, so I would have to rely on if the user is logged in or not. That would bring other problems: I could only use the API for one account at a time for example, and I would have to add checks to see if the user is logged in, etc.

So my work-around was to write a proxy that would just pass around the requests to Heroku and the response back to the XMLHttpRequest client. (https://github.com/Timothee/Passeplat) With it, I can make the same requests I would make to https://api.heroku.com but instead make them to mypasseplatinstance.heroku.com.

Making this a Heroku-ready app is of course not a coincidence: my plan is to use my Heroku instances (the proxy and the yet-to-be-written git clone) to bootstrap a couple of Heroku instances with the user's own Heroku account. Then the extension would use these to start up other apps. I like the bootstrap idea: it's like compiling a compiler. :)

I'm now realizing that it might even be done with a buildpack… I'd have to look into that. (that would remove the need for that second "git clone" app) Hum, I'll really have to look into that! That could make things much easier and cleaner. (and also cooler)

There would still be the issue of specific configurations and add-ons to deal with, but that shouldn't be too hard if the rest is done.

edit: I haven't checked if this is still a problem with today's announcement. Also, I contacted Heroku support about it, but they only suggested I use a proxy.

[geemus]

Interesting. I fear I'm mostly a back-end type of guy (ie not much experience with XMLHttpRequest). Sounds like the browser may be at issue to some extent. I certainly find the behavior you describe to be surprising. Is there something we can change to better facilitate this?

[Timothee]

It seems to me that the problem is that the backend is treating the XHR like if you were hitting the main site. So sometimes (but not for all endpoints I think), if I were logged out, the XHR would be redirected to the login page.

To me, the API endpoints should behave the same way in a browser as with curl without ever redirecting to the login page.

But, once again, it might have been fixed in the meantime… I haven't tried recently.

[geemus]

Sure. I haven't tried either. Its on my list of stuff to dig into and sort out, so hopefully we have a better answer soon.

[mnutt]

What if you got around it by instead just registering a domain and pointing it to the heroku api's IP? I'm not sure if heroku's api would be ok with the mismatched Host header, but it would be less moving parts.

[Timothee]

Interesting idea. I'll have to give it a try. Thanks!