HTTP request fails with anonymous access

Help & Support đź’»
1

I have an app that on load requests data from several APIs. Today, I wanted to test the app when publicly accessed by anonymous access, but one of the requests fails. Well, the request itself succeedes, but the response is just

<html>
    <head>
        <title>Request Rejected</title>
    </head>
    <body>
        The requested URL was rejected. Please consult with your administrator.<br>
        <br>
        Your support ID is: 13051143813188554833<br>
        <br>
        <a href='javascript:history.back();'>[Go Back]</a>
    </body>
</html>

The URL I’m requesting is https://a2a.bancaditalia.it/infostat/dataservices/export/EN/CSV/ALL/CUBE/BANKITALIA/DIFF/QMOT0100 (Opening link will download a ZIP)
simply put in the URL field of the action:
image

I also tried to create a datasource with the Base URL set to this link and Anonymous access allowed, but it still “fails”.

I don’t really understand what the problem is because the payload of the request is almost the same. The only differences are the parameters environment, set to prod instead of dev, and isBuilder, set to false instead of true.

If any of you got an idea or suggestion, I’m all ears.

2

Hey @Max,

Thanks for reporting it, the issue seems weird…
The only way I managed to query that URL — as on your screenshot, no datasource + empty base URL + full URL.

I’ll check with the team!

1 Like
3

@Max, we’ve able to track down the bug!
Long story short, it’s because of cookies :face_with_peeking_eye:
If any of your data sources have cookies — others will get cookie: "" appended… Direct HTTP API steps (with no data source) have no cookies at all, so request works as expected.

We’ll fix this behavior in further versions!

1 Like
4

Awesome, thank you!
Strangely, though, the Direct HTTP API step fails for me despite the lack of data source. But only when opening the Embed URL as an anonymous user, e.g. in incognito. Does the anonymous access also cause cookie: "" to be appended?

5

Hmmmm… We’ve pushed a fix for cookies, it will become available next Thursday. I’ll test additionally with anonymous access.

1 Like
6

Updated to v3.136.0 today and tested it, but it still fails with anonymous access. At this point, I have to search for alternatives.

7

Just tested it on cloud with anonymous access enabled:

Screenshot_02-07-2025_11-09@2x
Screenshot_02-07-2025_11-09@2x1344Ă—1010 111 KB

Seems OK :thinking:

May I ask you to set UI_BAKERY_LOG_HTTP_REQUESTS=true and obtain logs of the datasource container during request?

8

Just so we are on the same page, it also executes correctly if I directly run the action. But if I set the app to public and open the Embed URL in an incognito browser window, instead of the ZIP, I receive that snippet I showed in the original post of this thread.

Here are the logs: 
2025-07-02 12:27:22 3.136.0 [LOGREQUEST]: (1751459242980) info: HTTP QUERY REQUEST: {"datasourceCreatedAt":"2025-06-04T10:07:59.000+00:00","credentials":"REMOVED"}; PARAMETERS: undefined; REQUESTED_PROPERTIES: none
 2025-07-02 12:27:22 3.136.0 [[DATASOURCE] HTTP]: (1751459242980) info: Request config:
 {
   "url": "https://a2a.bancaditalia.it/infostat/dataservices/export/EN/CSV/ALL/CUBE/BANKITALIA/DIFF/QMOT0100/infostat/dataservices/export/EN/CSV/ALL/CUBE/BANKITALIA/DIFF/QMOT0100",
   "method": "GET",
   "headers": {
     "User-Agent": "uibakery.io",
     "UI-Bakery-Role": "anon",
     "UI-Bakery-Roles": "anon",
     "UI-Bakery-User": ""
   },
   "params": {},
   "responseType": "arraybuffer",
   "timeout": 90000,
   "httpAgent": {
     "_events": {},
     "_eventsCount": 2,
     "defaultPort": 80,
     "protocol": "http:",
     "options": {
       "cookies": {
         "jar": {
           "version": "tough-cookie@4.1.3",
           "storeType": "MemoryCookieStore",
           "rejectPublicSuffixes": true,
           "enableLooseMode": false,
           "allowSpecialUseDomain": true,
           "prefixSecurity": "silent",
           "cookies": []
         }
       },
       "noDelay": true,
       "path": null
     },
     "requests": {},
     "sockets": {},
     "freeSockets": {},
     "keepAliveMsecs": 1000,
     "keepAlive": false,
     "maxSockets": null,
     "maxFreeSockets": 256,
     "scheduling": "lifo",
     "maxTotalSockets": null,
     "totalSocketCount": 0
   },
   "httpsAgent": {
     "_events": {},
     "_eventsCount": 2,
     "defaultPort": 443,
     "protocol": "https:",
     "options": {
       "cookies": {
         "jar": {
           "version": "tough-cookie@4.1.3",
           "storeType": "MemoryCookieStore",
           "rejectPublicSuffixes": true,
           "enableLooseMode": false,
           "allowSpecialUseDomain": true,
           "prefixSecurity": "silent",
           "cookies": []
         }
       },
       "noDelay": true,
       "path": null
     },
     "requests": {},
     "sockets": {},
     "freeSockets": {},
     "keepAliveMsecs": 1000,
     "keepAlive": false,
     "maxSockets": null,
     "maxFreeSockets": 256,
     "scheduling": "lifo",
     "maxTotalSockets": null,
     "totalSocketCount": 0,
     "maxCachedSessions": 100,
     "_sessionCache": {
       "map": {},
       "list": []
     }
   }
 }
 2025-07-02 12:27:22 3.136.0 [DATA SOURCE REQUEST]: (1751459242980) info: Started query execution
 2025-07-02 12:27:23 3.136.0 [DATA SOURCE REQUEST]: (1751459242980) info: Completed query execution (138 ms)
 2025-07-02 12:27:23 3.136.0 [DATA SOURCE DATA PARSING]: (1751459242980) info: Started preparing data
 2025-07-02 12:27:23 3.136.0 [DATA SOURCE DATA PARSING]: (1751459242980) info: Completed preparing data (1 ms) for 1 items
 2025-07-02 12:27:23 3.136.0 [RESPONSE]: (1751459242980) info: Sending success response - 200
1 Like
9

Thanks for the logs provided!

Yes, I missed incognito mode, sorry for this. Passed all the details to the dev team.

1 Like