Re-posting this question as requested by @JasonStoltz
So I have everything working with enterprise-search (app-search) and have customized the generated search-ui. I've loaded in a couple million documents and everything works great. However the generated UI is working with the public
search- bearer token on the client side (in the react app).
I would like to secure the ability to search with a login to restrict access to known/authorized users in our domain. I have a simple node/express app that authenticates our users and verifies they are within our domain (e.g. google oauth + directory API).
I understand that from app-search's perspective, signed search keys are the right approach here. I can certainly use the
app-search-node lib to generate a per-user search key and then inject that into the react app (static) which is served from within the node app post-authorization. However I am wondering about key invalidation. I don't want that signed search key to continue to be valid after the session has expired.
Is there a recommended approach here for this type of case, I couldn't find any documentation about securing app search beyond giving managing all credentials in app search which is cumbersome since we already have oauth/directory based authentication/authorization with google.
We could just use a tunnel to expose search-UI/app-search without auth on our intranet but if we don't want 100% of our employees to have access...then that isn't a really good option either.
I'm also not a react developer and would like to avoid going down the path of adding a bunch more complexity to the React app and would rather handle authentication external to the React app and then serve the react app (static) with an injected valid (but expiring) credential if the user is authorized. Even that seems brittle as the React/app-search credential would need to somehow be kept in sync (valid state) with the cookie-based login session.
I originally thought the way to do this would be to proxy the app-search requests and inject the bearer token if the user is authorized and redirect them to a login screen if not... but it sounds like that is non trivial.
Would love to see a bare-bones writeup on how to secure search-UI for this type of use case as it would make integrating search-UI, including authorization into other larger (and possible non-React) apps much more obvious.