0

I would like to offer full-text search to my users through their data - and make sure that they can only access the data they own. Are there any patterns allowing to do that on Algolia ? None of the solutions I've considered seem a good fit, so i was wondering if I had overlooked some other options.

We could host each user's data in a separate Algolia app, so that each API key would give access to only the relevant data, but that would quickly become unaffordable, as many would hit the 10000 records limit.

We could host each user's data in a separate index and use team index restrictions, but there does not seem to be an API to manage those, and that would anyway require an Algolia account for each customer, which seems like a misuse of the service (we could e.g. generate email addresses at our domain name).

Finally we could filter queries with some userId to retrieve only the relevant data, but that wouldn't be secure, as someone could use the apikey to query algolia without the filter. We could proxy algolia calls to inject the filter and the api key - but the perf penalty would probably be high.

Any other suggestions ? Thanks!

VonD
  • 5,075
  • 2
  • 20
  • 30
  • Hi VonD! This is a great question but off-topic for StackOverflow since it's not programming related. Can you post it over on the Algolia forum? https://discourse.algolia.com/c/development I'll make sure it gets addressed. – Josh Dzielak Dec 15 '16 at 16:06
  • @Josh you're right. Done! – VonD Dec 15 '16 at 16:14
  • If you consider to use the multi-app solution, I suggest you this website to manage your applications. For the moment you can only copy a sourced app into a targeted app (full-copy, only settings copy, or only data copy) and clear the environment of your choice. http://algoliaextended.com/ Hope it will help. – Bloodbee Aug 30 '17 at 15:41

1 Answers1

3

I got a great answer from rayrutjes at Algolia, so I'm pasting it here in case :

The best approach for your use case is to use what we call generated API keys. Here is the documentation for the JavaScript client: https://www.algolia.com/doc/api-client/javascript/api-keys/#generate-key

The usage is fairly simple, you generate an API key on the fly based on your search API key + some additional query params.

The resulting API key can be used like a standard search API key, with the difference that it can be scoped on a given set of parameters.

Note that the generation of such a scoped API key does not require an actual call to the API.

Also be sure to generate those scoped API keys in the backend as in that case you don't want to expose the search API key you use for their generation.

Community
  • 1
  • 1
VonD
  • 5,075
  • 2
  • 20
  • 30