Always error cors, when trying to request to get file

Frappe Framework
, ,
1

Hallo i have case to make docx preview for my app, and for that i trying to get the file from this url

http://localhost:8001/files/15_41_ST_OSP_II_2025%20-%20BDES.docx

with this code

const renderDocx = async () => {
	try {
		const response = await fetch(`http://localhost:8001/files/15_41_ST_OSP_II_2025%20-%20BDES.docx`, { mode: "no-cors" })
		const blob = await response.blob()

		const arrayBuffer = await blob.arrayBuffer()
		docxParser.renderAsync(arrayBuffer, viewerContainer.value, null, {
			inWrapper: false,
			breakPages: false
		})
	} catch (error) {
		console.error("Gagal memuat file DOCX:", error)
	}
}

But it got error cors like this

[type or paste code here](http://localhost:8001/files/15_41_ST_OSP_II_2025%20-%20BDES.docx)

I already change my config like this

{
    "db_name": "xxx",
    "db_password": "xxx",
    "db_type": "mariadb",
    "allow_cors": "*"
}

but still got error, i just want to show docx from frappe to vue :frowning:
and another question, how to allow all logged in user for all private file? for example i have this code for uploading file

def upload_document_to_file_manager(self, nama_surat, file):
		try:
			with open(file, 'rb') as f:
				file_data = f.read()

			# Get the current year and month in Roman numeral format
			year_now = frappe.utils.nowdate().split('-')[0]
			month_now_roman = frappe.utils.formatdate(frappe.utils.nowdate(), "MM")

			# Define the full folder path based on your structure
			folder_structure = f"Surat/Surat Tugas/{year_now}/{month_now_roman}"

			# Create folders if not exist
			self.create_folders_if_not_exist("Home", folder_structure)

			# Final folder path after folder creation
			final_folder = f'Home/{folder_structure}'

			# Create the new file in the final folder
			_file = frappe.get_doc({
				"doctype": "File",
				"file_name": nama_surat,
				"folder": final_folder,
				"content": file_data,
				"is_private": 1,
				"ignore_duplicate_entry_error": True
			})
			_file.save()

			# Get the file URL (this is the public URL if the file is public, otherwise it's a private path)
			file_url = _file.file_url

			# Save the file URL or path back to the document
			self.doc_url = file_url  # Assumes 'file_url' field exists on the Surat Tugas doctype

			# Delete the temporary file
		except Exception as e:
			frappe.logger().error(f"Error uploading file: {e}")

		finally:
			if os.path.exists(file):
				os.remove(file)
				frappe.logger().info(f"Temporary file {file} deleted.")
				print(f"Temporary file {file} deleted.")

but that file only accessible for administrator, how to set all logged in user can access private file?

Thank you!

2

For the first error, I recommend passing the Authorization header for authentication as follows:

"Authorization": "token your_api_key:your_api_secret"

Steps to Get API Key & Secret

  1. Login as Administrator in Frappe.
  2. Go to User List (/app/user).
  3. Open the Administrator user (or the user making API requests) and Go To Setting.
  4. Scroll down to the API Access section.
  5. Click “Generate Keys” to obtain the API Key and API Secret.