Reviving a script to update CORS origins in PR-environments, encountering issues with token grants

10 replies
Last updated: Nov 14, 2022
Hey :)
We are using PR-environments and need to update CORS origins manually for each environment.
Some time ago, we had a script that allowed us to update CORS origins, authenticated using a token generated in the API section of the management interface. At some point this script stopped working, and I am now trying to revive it.
However, no matter which token I create (deploy studio token, reader, writer), I always get this error back when calling `GET /v1/projects/projectId/cors`:

{"statusCode":401,"error":"Unauthorized","message":"User is missing required grant sanity.project.cors/read to perform this operation"}

Is it possible to create a token that has this grant, and if so, how can we do it?
Nov 7, 2022, 2:58 PM
I think the issue may be that you're using V1 of the API. Can you try following this format?
Nov 7, 2022, 6:43 PM
Hey, RD! Thanks for the replyI've tried the new format as well, but I still get the same error message

I've posted a basic snippet of the call I'm trying to make
Nov 8, 2022, 1:42 PM
Thanks for confirming! I gave it a shot and I'm getting the same behavior. I'm asking internally for more clarity!
Nov 8, 2022, 5:45 PM
Great! (or not so great, but you know what I mean 😁) Will you let me know what they say?
Nov 8, 2022, 9:43 PM
Will do!
Nov 8, 2022, 11:44 PM
I just had a chat with our previous Tech Lead and apparently he reported this same issue around a year ago
Nov 9, 2022, 6:01 AM
OK got clarity here. The CORS endpoint requires a developer or admin token. The developer role is not available on the free plan, so you'll need to use an admin token if that's what you're on. You were likely using an admin token in the past, then logged out somewhere which invalidated the token, or on an older plan that has access to a developer role. You can get access to your admin role's token by running
sanity debug --secrets | grep 'Auth token'
Nov 9, 2022, 4:17 PM
So we have to expose an actual admin user's token somewhere to be able to automate this? Seems very strange that this couldn't be an API token with a specific grant. We're not on "Free", but on an "Advanced" plan, where we can only have "Administrator", "Editor" and "Viewer" roles. It did work with my personal token (administrator role), like you said it would, but I don't know how comfortable I would be putting our personal auth tokens "out there", even if it's in a key vault. If that's the case I'm more inclined to doing this manually every time we open a PR.
Nov 11, 2022, 9:18 AM
Thank you for your help on this issue, RD πŸ™‚ Hope you guys will think about adding this as an API token feature instead of personal tokens. Seems like an endpoint that would be used often with CICD.
Nov 11, 2022, 9:20 AM
If you upgrade your plan you'll have access to the developer role (which won't require you to expose a user's token).
Nov 14, 2022, 5:42 PM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?