OPTIONS preflight request requires API key only on us-west4-gcp

waseem.wasaya · April 24, 2024, 7:33pm

This prevents me from using an SPA frontend to send requests directly to pinecone. I have an api key but i cannot modify the preflight request.
It works properly on indexes hosted on AWS, so it seems like a bug.

patrick1 · April 29, 2024, 10:47am

Hello @waseem.wasaya,

Can you tell us a little more about your use case? It sounds like you have some front-end code that will call the index directly. Is this right?

I’m concerned about how you are storing and protecting the Pinecone API Key in this setup. The API key should be treated like a password.

Regarding the problem itself, can you share a snippet of the code, the API being called and the entire error message?

waseem.wasaya · April 29, 2024, 11:40am

I’m not storing the API key, there’s an input in the frontend where users add their own API key, it’s a tool to manage namespaces with langchain alongside customized input for our organization. That’s why we don’t need a backend for this, api is not stored anywhere.

Here’s a curl of the preflight request that’s failing:

curl 'https://trasncripts-4eb54cb.svc.us-west4-gcp.pinecone.io/describe_index_stats' \
  -X 'OPTIONS' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9,en-GB;q=0.8' \
  -H 'access-control-request-headers: api-key,content-type' \
  -H 'access-control-request-method: POST' \
  -H 'origin: http://localhost:5173' \
  -H 'priority: u=1, i' \
  -H 'referer: http://localhost:5173/' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: cross-site' \
  -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0'

While for example if the index is stored in AWS, it works properly:

curl 'https://agent-assist-index-4eb54cb.svc.aped-4627-b74a.pinecone.io/describe_index_stats' \
  -X 'OPTIONS' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9,en-GB;q=0.8' \
  -H 'access-control-request-headers: api-key,content-type' \
  -H 'access-control-request-method: POST' \
  -H 'origin: http://localhost:5173' \
  -H 'priority: u=1, i' \
  -H 'referer: http://localhost:5173/' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: cross-site' \
  -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0'