Collection action forms now give a 403 error on requests made to the external API

martinshumberto · June 20, 2025, 11:14pm

Feature(s) impacted

The error was noticed in the custom actions to update a collection, because when you click to update a record, we first make a request to our API, to check if the record exists and check some business rules. But it is any request made in the Collections Actions.

Observed behavior

When opening any custom form that has a request to an External API (our API), the following error appears on the screen: An error occurred on form load. Check your server logs for more details.
And checking the logs, it returns 403, but this 403 is not from our External API.

Expected behavior

Load the form without error.

Failure Logs

2025-06-20T21:29:04.206Z | error: [Request] GET /vessel-manufacturer/6853270ac91f7fe9a435f77d - Duration: 74ms - Error: Request failed with status code 403
2025-06-20T21:29:04.208Z | error: [500] POST /_actions/vessel_manufacturers/1/update/hooks/load - 1422ms
        undefined       undefined

Context

Project name: Bombarco
Team name: Bombarco
Environment name: Production
Database type: MongoDB
Recent changes made on your end if any: There have been no recent changes

And, if you are self-hosting your agent:

Agent technology: NodeJS
Agent (forest package) name & version (from your .lock file): @forestadmin/forest-cloud": "1.12.5"

Sliman_Medini · June 23, 2025, 8:04am

Hi @martinshumberto,

Thanks for reaching us, we’ll do our best to solve your problem.

From the logs we can see on the screenshots you just shared, I see:

one 200 on “GET vessel_manufacturers” endpoint (your API?) after 1.2sec
then one on 403 on the same “GET vessel_manufacturers” endpoint" after 74ms
then one 500 on the action form endpoint that seems matching your API

After reading, we can establish the following:

There are two requests made against your API, one of which succeeds and the other fails.
The action form call is in 500 due to those previous errors.

So I have the following questions:

Is it expected to have multiple calls to your API at the same time?
In your initial message, what do you mean by “But it is any request made in the Collections Actions”

Best regards,
Slim

martinshumberto · June 23, 2025, 12:49pm

Hello @Sliman_Medini

Thank you for your time and support.

The first call that returns 200 is from forest itself, when I call getRecordId() of the vessel_manufacturers collection. The difference is seen in the separator, forest uses _ which is the case used in collections, while the calls to my API are - becoming vessel-manufacturer, and also one is singular and the collection is plural.
The second call, we believe that the 403 error does not reach our API, since we have already debugged it on our side, with logs, and locally we do not have this problem, and it does not reach our API directly either. And one factor to be noted is that the 74ms time is very low, I believe it did not reach our infrastructure.
And the third is the form hook that from the moment it threw an exception it crashes on it. That is why it did not reach our next call, which would be getVesselTypesOptions.

The multiple ones are from the forest and another from our API, they look the same but as I mentioned above, they are different;
This problem is not only in this section, any custom action that makes a call to our API is facing this problem, there are routes that do not have authentication on our side that are 403 in the logs. Therefore, I reiterate that we believe that the problem is not in our API, as I believe it did not reach it.

I am available for any additional information.

Thanks!

Sliman_Medini · June 23, 2025, 2:37pm

getRecordId does not make a call.
The findOne marked with a red square look from an ORM api, isn’t it? It’s not forest code.
“findOne” api does not comes from forest, isn’t it? It seems to be an ORM models call.

Can you please share your SA code? The 403 is certainly coming from there.

Regards

martinshumberto · June 23, 2025, 3:22pm

The findOne function is just an abstraction to organize calls to our API, it is not an ORM.

Remember that the mentioned route findOne is public, so this 403 is not coming from our side. You can test it in:

curl -X 'GET' \
  'https://api.bombarco.com.br/v1/vessel-manufacturer/6853270ac91f7fe9a435f77d' \
  -H 'accept: */*'

Below are the files that are related to this flow:

sa-code.zip (5.5 KB)

Thanks, regards

Topic		Replies	Views
Smart action throws 403 error Help me!	3	324	December 12, 2022
Unexpected error on Smart Action Form values retrieval Help me!	6	731	March 17, 2021
Smart Actions - name error Help me!	6	365	February 1, 2022
Smart Actions suddenly Failing Help me!	7	481	June 7, 2021
Random 'Record access forbidden' on collections Help me!	12	564	June 24, 2022