algoliasearch-client-javascript icon indicating copy to clipboard operation
algoliasearch-client-javascript copied to clipboard

Published 20 hours ago verified publisher icon algolia

"Secure API keys" are buggy

Open catamphetamine opened this issue 3 years ago • 5 comments

  1. Returns an "Invalid" API Key from generateSecuredApiKey(key, {}) called with empty options argument.

When that function is called with {} as the options argument, it returns some API key. When later querying anything using that generated API key on the front end, it returns error:

{"message":"Invalid API key","status":403}
  1. Throws TypeError: Cannot convert undefined or null to object when no options passed.

When generateSecuredApiKey(key, {}) function is called without the second ("options") argument, it throws:

TypeError: Cannot convert undefined or null to object
    at Function.keys (<anonymous>)
    at Object.serializeQueryParameters (c:\dev\server-lib\node_modules\@algolia\transporter\dist\transporter.cjs.js:391:19)
    at Object.generateSecuredApiKey (c:\dev\server-lib\node_modules\@algolia\client-search\dist\client-search.cjs.js:264:45)
    at Object.lib.generateAlgoliaApiKey (file:///c:/dev/server-lib/lib/algolia.js:25:30)
    at Object.generateStudentAppCourseSearchApiKey (file:///c:/dev/ASP-API/helpers/algolia/createStudentCourseIndexes.js:237:21)
    at Object.<anonymous> (file:///c:/dev/scripts/js/updateAlgoliaCourses.js:40:78)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)

https://discourse.algolia.com/t/ivalid-api-key-when-passed-a-perfectly-valid-key/14419

  1. When a "secured API key" is generated with perfectly valid comma-separated restrictIndices, such key returns an error when used for querying on front end:
{"message":"Invalid Application-ID or API key","status":403}

When a "secured API key" is generated using the same code but with restrictIndices being "*", it doesn't throw any errors.

We've narrowed that issue down to Algolia failing when there're more than a few index names enumerated in restrictIndices. For example, in our case, we use index name prefixes with wildcards in restrictIndices. If we add 4 index name prefixes, it stops working. But when we add, for example, just 2 index name prefixes, and a wildcard ("*"), it works.

catamphetamine avatar Feb 01 '22 02:02 catamphetamine

Hey catam, are you using the admin key?

HubertRyanOfficial avatar Feb 01 '22 02:02 HubertRyanOfficial

We attempted using a "Search Only Key" but it didn't work. It only worked when used with the same "API" key the client is initialized with.

catamphetamine avatar Feb 01 '22 02:02 catamphetamine

@HubertRyanOfficial I have tested generating "secure API key" using a "Search Only Key" and the bugs are the same.

catamphetamine avatar Feb 01 '22 21:02 catamphetamine

We've found the cause for the 3rd issue: the SQL database field was declared as VARCHAR 255 and it truncated all keys to that value, and that's why it was saying Invalid Application-ID or API key. We've changed that field type to TEXT and it fixed issue 3.

Issues 1 and 2 are still observed after fixing the truncation of the API key.

catamphetamine avatar Feb 21 '22 07:02 catamphetamine

@catamphetamine Yeah, I got it.

HubertRyanOfficial avatar Feb 21 '22 08:02 HubertRyanOfficial