Is CORS still a security concern with the v2 API?

I’m aware of this thread: CORS issue in Patreon API [SOLVED] which was resolved with:

We intentionally not support client side requests for security reasons.
We will allow that once we implement client tokens which have a different OAuth flow and will allow some interesting features with it.

However I believe this related to version 1 of the API which I believe required both Client ID and Client Secret to be exposed. In version 2, only the Client ID is required, but I’m still seeing a CORS error when attempting to call https://www.patreon.com/oauth2/authorize client-side.

Is this still a security concern and does this CORS block still need to be in place for the v2 API?

Disclaimer: I used to be a Patreon employee who worked on the API

The reason CORS is disabled is because Patreon API does not support “client tokens” that enable safe usage of access tokens. The issue is the tokens, not the API itself.

Client tokens usually are short lived (normally for 30 min) and are passed via fragment url argument to avoid them being logged to a server, and are only normally used via javascript and CORS.

I hope this helps.

Did you ever figure out how to use the Patreon api? If we can’t use CORS/javascript? Looking for a good resource for non-experts, working on a web game where patreon tier will include extra content.

Why do you need cors for? Do you want to include Patreon libraries directly from Patreon or something?

I took your suggestion (I think) and downloaded the Patreon API using npm. But I am making a Cocos-JS Web Game (only for web browsers). How do I locally use this package without revealing my secret ID in the file? Asking because I was trying to access the Patreon libraries directly from Patreon because that’s what I’ve seen people attempting online (I am a less experienced developer, I think I’m missing something.) Would love your advice on using the Patreon API in my web game so I can give subscribers access to exclusive content.

If your setup is so that it may be problematic to directly use the JS library, you can use an intermediary at your server to receive requests from users and then validate their patronage from server-side by directly contacting Patreon API.

PHP lib is a good example.

This may be a better way in various respects since you would be able to do things like mass-processing users in the backend as well.

Ie - your web game probably already has a user login system and it knows who a user is. You can have users connect their web game accounts to their Patreon accounts using the PHP library. This will mean that now you know which user is which patron. At that moment, the user patronage is already available in the backend at your web server and you can just directly allow/disallow web game features to the user.

Wordpress plugin uses a Patreon login/connect flow which allows users to easily connect their Patreon accounts to the local WP account. You can imitate that flow for your app.

1 Like