AI server and CORS?

OGS Development API Development
1

In my own OGS client, I’m working on implementing the ability to request a score estimation from the AI server. Whenever the official client uses WASM estimation instead of an HTTP request, I use the same WASM blob, but this does leave cases like stone calculation where we want both players to hit the exact same estimator.

Hitting https://ai.online-go.com/api/score with a well-formed request returns a CORS error. If I have web debug tools spit me out a CURL one-liner, it executes fine from the CLI, so this is specifically the server sending CORS headers that triggers browser CORS enforcement to disallow my origin, where the standard https://online-go.com/api/v1/ API does not. (For context: this is an iOS/Android app running via a web-app wrapper, so it is not a website but does exist in a browser context that enforces CORS).

There are definitely workarounds I can do — either set up a simple proxy server, or write some custom native code so that this specific API request goes through the native HTTP stack that doesn’t enforce CORS. I imagine this is very intentional to avoid people abusing the more compute-heavy AI endpoints, though, so I wanted to check in about a few things:

  1. Is it in fact expected that third-party clients can access the https://ai.online-go.com/api/ API, or should I be handling the “stone calculation” phase differently than the production client? I’m fine to force all other score estimation cases (e.g. spectators, completed games) through the local-only flow, but it seems important that stone calculation is consistent.

  2. Is there a specific localhost port that’s already automatically whitelisted for dev testing purposes?

  3. Is it possible to request other origins be whitelisted for third-party client purposes? (my production use will be an iOS/Android app using capacitor, which looks like it serves via capacitor://localhost in production.

For thoroughness, I have made sure that both my localhost dev setup (http://localhost:5173) and the capacitor://localhost prod setup are included in my OAuth app’s “allowed origins” list in the OGS OAuth config app, but that does not make a difference.

Thanks!

2 Likes
2

Hi, I noticed this CORS problem too when I was playing around with autoscore algorithms and found that it works better with the beta endpoint at https://beta-ai.online-go.com/, so that might work for your testing at least.

image
image493×257 12.7 KB

I would also be interested to know what’s expected on the main servers.

3 Likes
3

Even if if this is true, CORS seems like the wrong tool for it. I thought CORS is intended to prevent 3rd party sites reading sensitive data (like bank balance). The request is still sent and processed by the server, the browser just doesn’t let the site read it.

Server resources can be protected with auth and rate limits. Which is why (I think) jwt token is passed in with the request.

2 Likes
4

This seems to have mystically sorted itself out — I don’t know if anything changed on the backend (thank you if so!) or what, but I can now successfully make AI score requests without CORS errors.

However, I’m now getting the same issue with requests to automatch-stats. https://online-go.com/termination-api/automatch-stats?ranks=2,3,4,5,6,7,8 (or same URL with beta.online-go.com) fails with a CORS pre-flight failure in the browser, but if I export the exact same HTTP request as a CURL one-liner, the CURL succeeds.

1 Like