Haroenv
commented
4 years ago Hey @Blackglade, you can resolve that by using an API key which is scoped to your production index alone. This means that public users won't be able to find other indices. You can make an API key with that restriction in the dashboard, or with the js client:
client.addApiKey(['search'], {
indexes: [process.env.GATSBY_INDEX],
});read more here: https://www.algolia.com/doc/api-reference/api-methods/add-api-key/
This is something I've been thinking about, might be completely off-base.
Given that I have one algolia app (Starter Plan) and I host 2 gatsby websites with integrated algolia search:
I was thinking whether it would be possible to access the internal documents of the internal facing website through the public facing website by just brute force guessing the index name?
To add some context to this, with the algolia plugin I specify the following:
appId: process.env.GATSBY_ALGOLIA_APP_ID, apiKey: process.env.ALGOLIA_ADMIN_KEY, indexName: process.env.GATSBY_INDEX,
Since both my internal and external company app are under the same APP ID (I just created different indices for each website), and the way I specify the proper index to use in my gatsby app is through the
react-instantsearch-dommodule:Would it be possible for a user to pour through the js code of the front-end facing search component and just change the index name and instantly be able to access the other index? and even if you didn't know the index, you could keep guessing names until one actually returned a query?
I don't know enough about how react/gatsby compiles its final build to see if any of those values are obfuscated, but was just curious. Hopefully this makes sense, can provide more detail if needed.