Everything looks great about search ui except security. All keys Credentials (searchKey,host identifier,engineName) are visible in api call.
I thought to move Connectors key logic to backend.
So the flow will be like 1.search ui call backend api. 2 backend will call app search-api and return response as it is to show result on ui.
is the right way to go?
I haven’t found any way to give own api call from search-ui.
Hey @Swapnil_Ghorpade. We consider it safe to expose Public Search Keys. They have limited, read-only access. Did you have a specific concern around that?
@Swapnil_Ghorpade You could set up a thin proxy to our API that handles authentication and injects the correct authentication token, and then point Search UI at your proxy server. There is an endpointBase configuration option that lets configure the URL where the App Search API is located.
If you need to protect search and put it behind a login, then you'll need to make the API requests to App Search server-side. One way to do that, would be to create your own search endpoint that just proxies our App Search API.
Browser -> Your Server -> App Search API
Your server could just pass through App Search API requests through to the App Search API. Your server though, would be responsible for authentication. Additionally, your server would append the correct API Key to the request before forwarding the request, so that it is never exposed in the browser.
@Swapnil_Ghorpade If your documents are private, then I think you must make these calls on the server side, behind your authentication. I don't think there's any way around that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
