8

I'm querying some elasticsearch servers from my Angular2 site. To help with security, we'd like to lock down access to only GET requests. Elasticsearch supports GET with a body but I'm having troubles making it happen with Angular2's http class.

this.http.post(SearchEndpoint, q.BuildPayload(), { method: 'GET' })

Since http.get doesn't have a body parameter, I am trying to use the post method. Previously I would leave off the RequestOptionsArgs of { method: 'GET' } and the POST would go through successfully with the body. By specifying the method in the third parameter the http class removes the body from the request.

Is it possible to make a GET request with a body in Angular 2?

Improve this question
1
  • According to this github bug for chrome's PostMan app Chrome's XHR doesn't allow for that kind of control and will always send a GET with a null body. We'll have to find another way to secure elasticsearch. Commented Feb 3, 2016 at 18:32

2 Answers 2

Reset to default
16

I think that the raw XHR object doesn't allow this. To quote the specification (see https://xhr.spec.whatwg.org/):

4.5.6 The send() method

client . send([body = null])

Initiates the request. The optional argument provides the request body.

The argument is ignored if request method is GET or HEAD.

The send(body) method must run these steps:

  • If state is not opened, throw an InvalidStateError exception.

  • If the send() flag is set, throw an InvalidStateError exception.

  • If the request method is GET or HEAD, set body to null.

This discussion in the Postman github could also help you: https://github.com/postmanlabs/postman-app-support/issues/131.

If you want to query an ElasticSearch server, you can use POST requests. Here is a sample:

POST http://localhost:9200/myindex/mytype/_search?pretty=true
Content-Type: application/json

{
  "query": {
    "match": {
      "somefield": "some value"
    }
  }
}

Hope it helps you, Thierry

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I think you should use URLSearchParams as documentation suggests here, but I'm not quite sure yet angular.io/docs/ts/latest/guide/server-communication.html [see app/wiki/wikipedia.service.ts]
Thanks for your comment but I think the code you suggested add query parameters not a payload ;-) URLSearchParams could be used to define a payload (an url encoded form one) but regarding this question, the problem is within the underlying XHR object that set the body to null in the case of a GET method...
What we ended up doing was use Nginx to rewrite POST requests on a particular route to be GET requests and it could ensure the body was still present. The problem with allowing POST requests is that you can manage elastic search with POST requests but not GET requests.
0

FWIW, I would be interested in hearing why this is desirable in https://github.com/whatwg/fetch/issues/83. For now there's no browser-based API that supports this, but we could offer it as a feature in fetch() given a convincing enough argument (and implementer interest).

Improve this answer

1 Comment

We are working with elastic search. All of our requests are going through a reverse proxy between the user's browser and the elastic search servers. For security, we'd like to only allow get requests to hit the elastic search servers and locking that down upstream at the reverse proxy is the most straightforward way to do it. But if the user can't submit a query in a get, we can't lock it down that way.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.