API calls directly to Elasticsearch are problematic

[devolt5]

It seems to me that React-Searchkit is making requests to the Elasticsearch API directly. As React-Searchkit is running in a browser, this might be highly problematic concerning security. See also: https://github.com/elastic/search-ui#how-do-i-use-this-with-elasticsearch

I guess the the field of application of React-Searchkit are predominantly public APIs, like Zenodo. But for other use cases, there is nothing yet implemented to prevent API calls from browser to Elasticsearch. Search-UI, the project of Elastic, uses Elastic App Search and a token-based auth as a security layer here.

I could think of two solutions here: 1) add a feature to make requests server-side (using nextJS/node) 2) implement a request component to let React-Searchkit make API calls to a proxy rather than Elasticsearch

Or did I miss something?

[ntarocco]

It is not responsibility of RSK to do that: what is there in the code is simply a demo, a playground to test it out. Never for production! You should indeed always check ElasticSearch documentation and set it up correctly and securely: reverse proxy, ES plugins or your backend.

There is no security issue in RSK :)