URI Too Large Errors #319
Comments
|
Hi @pthurlow, could you maybe send here a CURL like command that results in an error when your security tags are too big? If this is not OK given the security of your application, please send this to [email protected] (and mention me and algolia javascript client) You can get a CURL like command from the network tab in chrome, right clicking a failed request and "copy as CURL". We recently updated the way we provide security at Algolia and you can now always use secured API keys: https://www.algolia.com/doc/guides/security/api-keys. Those keys will then be sent in POST when doing searches if the key is too big. Since then, I am interested in seing what's inside your query. As for the reasoning, we only put in the HTTP headers, headers that are considered as "simple HEADERS" given the XHR spec: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Simple_requests That way, we can avoid doing an extra OPTIONS request in browsers. Let me know how it goes. |
|
I sent an example request header to your support. When you say "Those keys will then be sent in POST when doing searches if the key is too big" do you just mean the request is made as a POST rather than a GET? If that is the case this problem will still persist because this is nginx or other server limits on URI request length. Ideally these keys would be inserted into the body to avoid this issue altogether, but as I mentioned it appears the js client is simply inlining all security tags and api keys into the url query string. |
|
After a bit more digging I think I've found the issue. The logic which determines whether to stick the If I remove the check for as a related issue, we also use the |
It seems not to be an issue with "fallback requests" but an issue being that requests done using client.search() will not have their API keys inlined when too big.
I will fix this and release.
Yes there's no more a need to use setSecurityTags if you already generated a secured API key with all the tags. All our security features are now provided by secured API keys and can be found here: https://www.algolia.com/doc/guides/security/api-keys. |
* fix(client.search): accept very long API keys
fixes #319
also fix uglify-js version because it's buggy in IE8:
mishoo/UglifyJS#1039
Came across this issue when our security tags started getting large. It appears that the headers sent to algolia are being inlined as query params in the url. This can be seen on line 74 here. When I removed those and put them in the request header I only received a
400when the headerx-algolia-agentwas removed from the query params. Leaving just that one in the query params and moving the rest to request headers solved my issue.I'd like to understand why these headers are being inlined into the url so that I might be able to supply a patch for this issue. Also any documentation on required headers/query params would be awesome as I could not find any.
The text was updated successfully, but these errors were encountered: