search

Graphcool / graphcool-framework

Apache License 2.0
1.77k stars 131 forks source link

Algolia create index per user #66

Open marktani opened 6 years ago

marktani commented 6 years ago

Issue by lucfranken Thursday May 11, 2017 at 08:18 GMT Originally opened as https://github.com/graphcool/prisma/issues/199

Let's say you have an invoicing app. Every user has many invoices. I want them to be searchable by Algolia.

I do NOT want users to be able to search all invoices from all users (security issue of course). So there is NO sharing between users at all.

This is what Algolia recommends:

How can I restrict the results to objects my user has access to?

Last updated 12 April 2017 In some cases, you don’t want every user to be able to access all the objects that you have indexed on Algolia. You want to restrict the search to the objects this specific user has access to.

There are 2 ways to achieve this:

Having an index for each user. With Algolia, you can have as many indices as you want, so you can create one index for each user, create one API key for each index. It’s as simple as that. If you want to create tens of thousands of indices, you may want to contact us first.

Using our Secured API Keys feature If some of the objects are shared by multiple users, it’s better to use the same index for all users, but to use the Secured API Key feature. It allows you to generate API Keys that can only retrieve objects that have a specific tag. For example, you could tag all objects with the user_id of all users that have access to this object and then dynamically generate an API Key for each user. This way, you can make sure that each user can only search the objects he is allowed to access. This works from the (public) JavaScript code as well.

https://www.algolia.com/doc/faq/searching/how-can-i-restrict-the-results-to-objects-my-user-has-access-to/

It seems Algolia advices to create one index per user in a multi-tenant situation.

The only way I see how this could work is if GraphCool would send the records to a variable index name like invoices_1, invoices_2 etc. where the number is the user id.

Does that make sense?

There is also another option with API keys but as GraphCool handles the connection with Algolia that doesn't seem to be possible. And it seems that this is recommended when you want to share some records but not all. Which is not the case in the example scenario.

Other scenario's could be:

It looks to me like one of the most standard use-cases for search.

marktani commented 6 years ago

Comment by wallslide Friday May 19, 2017 at 04:19 GMT

It looks like all you need to accomplish this already exists. Just use Algolia's Secured API-Kes (as op mentioned). Is there some reason why this feature alone isn't enough, or why it couldn't be implemented with Graphcool's current feature set?

marktani commented 6 years ago

Comment by lucfranken Friday May 19, 2017 at 08:24 GMT

@wallslide thanks!

Will take a look on it. They advice separate indexes that's why I went for that scenario first.

It seems the generation of those keys might now be available with the functions just released, will have to take a look on that.