Environment variable usage

algolia / gatsby-plugin-algolia

A plugin to push to Algolia based on graphQl queries

https://yarn.pm/gatsby-plugin-algolia

Apache License 2.0

177 stars 45 forks source link

Environment variable usage #83

Closed josephmarkus closed 4 years ago

josephmarkus commented 4 years ago

In your readme it says:

appId: process.env.ALGOLIA_APP_ID,
// Careful, no not prefix this with GATSBY_, since that way users can change
// the data in the index.
apiKey: process.env.ALGOLIA_API_KEY,
indexName: process.env.ALGOLIA_INDEX_NAME, // for all queries

How can users change data in the index, if environment variables are prefixed with GATSBY_ ?

Without GATSBY_ I cannot load widgets on client side (environment variables show as undefined) as outlined here: https://www.algolia.com/doc/guides/building-search-ui/installation/react/

Haroenv commented 4 years ago

That's an interesting point. What we advice is the following:

ALGOLIA_APP_ID=xxx
GATSBY_ALGOLIA_APP_ID=xxx

ALGOLIA_API_KEY=yyy # be careful to use write API key here
GATSBY_ALGOLIA_API_KEY=zzz # be careful to use search API key here

ALGOLIA_INDEX_NAME=aaa
GATSBY_ALGOLIA_INDEX_NAME=aaa

If there's a way you think this can be worded more clearly in the readme here, please feel free to suggest an improvement

josephmarkus commented 4 years ago

@Haroenv what do you think about replacing the comment to something like:

appId: process.env.ALGOLIA_APP_ID,
// Make sure that you use Algolia's Admin API Key
// as process.env.ALGOLIA_ADMIN_API_KEY
// When accessing Algolia on the client side, use
// Algolia's Search-Only API Key as
// process.env.GATSBY_ALGOLIA_SEARCH_API_KEY
apiKey: process.env.ALGOLIA_API_KEY,
indexName: process.env.ALGOLIA_INDEX_NAME, // for all queries

Perhaps, this is too verbose and doesn't even do justice of emphasising the fact that the API key is exposed through API calls. You can actually see in the DevTools > Network that requests contain the API key in the URL.

I could create a PR for this.

Haroenv commented 4 years ago

I've slightly tweaked the comment, do you think it's clear enough now?

josephmarkus commented 4 years ago

I think it's clearer, although I would aim to reason as to 1) why a user should use admin key here (creating/updating/deleting records in Algolia can only be done with admin API key; and 2) why a user should use search API key when accessing the Algolia from within their components.

As an aside, I noticed there's a slight typo in here:

// Careful, no not prefix this with GATSBY_

no should be to

All in all, I would replace

// Careful, no not prefix this with GATSBY_, since that way users can change
// the data in the index. Instead use GATSBY_ALGOLIA_API_KEY for a search-only one

with

// Use Admin API key without GATSBY_ prefix, so that the key isn't exposed in the application
// Tip: use Search API key with GATSBY_ prefix to access the service from within components

See which one fits best 👍

Haroenv commented 4 years ago

Thanks, that's much clearer!