Closed josephmarkus closed 4 years ago
That's an interesting point. What we advice is the following:
ALGOLIA_APP_ID=xxx
GATSBY_ALGOLIA_APP_ID=xxx
ALGOLIA_API_KEY=yyy # be careful to use write API key here
GATSBY_ALGOLIA_API_KEY=zzz # be careful to use search API key here
ALGOLIA_INDEX_NAME=aaa
GATSBY_ALGOLIA_INDEX_NAME=aaa
If there's a way you think this can be worded more clearly in the readme here, please feel free to suggest an improvement
@Haroenv what do you think about replacing the comment to something like:
appId: process.env.ALGOLIA_APP_ID,
// Make sure that you use Algolia's Admin API Key
// as process.env.ALGOLIA_ADMIN_API_KEY
// When accessing Algolia on the client side, use
// Algolia's Search-Only API Key as
// process.env.GATSBY_ALGOLIA_SEARCH_API_KEY
apiKey: process.env.ALGOLIA_API_KEY,
indexName: process.env.ALGOLIA_INDEX_NAME, // for all queries
Perhaps, this is too verbose and doesn't even do justice of emphasising the fact that the API key is exposed through API calls. You can actually see in the DevTools > Network that requests contain the API key in the URL.
I could create a PR for this.
I've slightly tweaked the comment, do you think it's clear enough now?
I think it's clearer, although I would aim to reason as to 1) why a user should use admin key here (creating/updating/deleting records in Algolia can only be done with admin API key; and 2) why a user should use search API key when accessing the Algolia from within their components.
As an aside, I noticed there's a slight typo in here:
// Careful, no not prefix this with GATSBY_
no
should be to
All in all, I would replace
// Careful, no not prefix this with GATSBY_, since that way users can change
// the data in the index. Instead use GATSBY_ALGOLIA_API_KEY for a search-only one
with
// Use Admin API key without GATSBY_ prefix, so that the key isn't exposed in the application
// Tip: use Search API key with GATSBY_ prefix to access the service from within components
See which one fits best 👍
Thanks, that's much clearer!
In your readme it says:
How can users change data in the index, if environment variables are prefixed with GATSBY_ ?
Without GATSBY_ I cannot load widgets on client side (environment variables show as undefined) as outlined here: https://www.algolia.com/doc/guides/building-search-ui/installation/react/