perpage, no underscore.

That's my mistake with the quoting. I used perpage first and then tried per_page because it was formatted like that in the result. Neither works it seems. Did it work for you?

only if perpage is divisible by 25. E.g. 25, 50, 75, 100.

Thanks. I can't see any other way to limit the results. I assumed it would be arbitrary, is it fixed for a reason?

Hi,

Here are the possible values: 5,10,15,25,30,40,50,75,100

This is how it was in the legacy site, and we brought it over. It's probable that we could enable users to select whatever values they want, and I will consider it in the future. For now, 5 is the minimum.

Redundant post, please delete.

https://api.mangaupdates.com/v1/series/0n1a5nx

Why doesn't this API work? I am getting the error:
*{"status":"exception","reason":"An unexpected exception occurred. Please report to an admin."}
*

edit: I found out it wan't real ID.

The ID you used was the base36 encoded ID. Just decode it and use the integer value.

curl https://api.mangaupdates.com/poll

returns a 500 error code

EDIT: aaand I'm dumb and dropped the /v1 from the URL.

Hey. I am also here because I have a problem with cors.

Currently I want to develop a browser extension with the mangaupdates api, so that managing mangas gets easier.

My plan was:
Browser extension adds a MangaUpdates Button on scanlation Sites. This button then redirects to the correct manga on MangaUpdates. So that everyone can easily update their chapter status. (I find it a hassle, to search for a manga and update them, if I read multiple a day.

Here the Problem:
When using the api, through a browser extension the api gets called through the website the extension is loaded.

So of course I get a CORS error.

There a 3 solutions:

• i create my own server which acts as gateway
• I hard link all mangas (but then the extension would get bloated)
• cors = *

Why do you have cors disabled? Normally u would use cors to restrict the API to specific websites. So that for example no one can clone the website and host it on their own. Or that only a specific website is allowed to do specific requests, for example updates/POST.

Hi,

This has been requested before. We are still evaluating any potential security vulnerabilities and concerns involved in such an approach.

Our current design plan is such:

• Allow all non-authenticated actions with ACAO: *
• Read origin header when user executes login request and store that origin in the database. Any time an authenticated request is made, echo the origin back in ACAO assuming it matches the original Origin.
• Allow ACAH: Authorization for authenticated requests with the proper origin.

Of course, this would only allow you to access data from the original site/origin you logged in from, and it would potentially expose credentials to misconfigured scripts (which is out of our control).

Enabling CORS seems to be one of the most ambiguous security considerations one can make. If at a future date we decide to enable this, we will make sure to post an update.

that sounds kinda overkill:

Read origin header when user executes login request and store that origin in the database. Any time an authenticated request is made, echo the origin back in ACAO assuming it matches the original Origin.

From my view what you are trying to implement gets near OAuth? But with the difference the other website still has access to all requests and not only specific resources.

Will also use a lot of database resources, just for requests…

But lets say it’s implemented like this. still if a malicious browser extension or malicious dependency or anything runs on that user trusted page, you can’t do anything against that. Also if the page owner does something stupid.

my View is, that a user should be responsible for his login actions.
If you don’t want such things to happen then don’t allow cors for user based actions.

I think allowing cors for non user based actions would be a step in the right direction! Search etc.

If you want to make user data accessible to other services than implement something fitting, for example OAuth.

I hope I don’t come across as confronting as I read it myself. Sorry 😀 (it’s the German accent😂)
I am just trying to share my developer experience 🙂

Can you point me to some other examples of existing apis that use the cors settings you want to implement? I'd like to look at their headers, and also read their documentation to see any concerns or configuration differences they have.

I don’t really have examples, as I based the text in my actual experience in the IT industry.

My experience is just that normally you don’t do apis with CORS.
But if you want to make a service available in the web to other websites you add cors.
But if the service handles user data, normally you would never expose It to other websites. Only through specific methods like OAuth.

But without security issue you can mark all endpoint which don’t need user authentication with ACAO=*

Such as search, filtering, getting mangas.

For example in spring (Java/kotlin) this would mean marking a few of your endpoints with @CrossOrigin(origins="*").

Quote from YuriM

Anyway people will find a way to scrape. Maybe you just release db dump monthly or so? Like anidb or wikipedia.

This please

[img]http://i.imgur.com/9BHy24f.png[/img]

Recruiting:
https://quicksandscans.wordpress.com/recruitment/