Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Secure API keys" are buggy #1388

Open
catamphetamine opened this issue Feb 1, 2022 · 5 comments
Open

"Secure API keys" are buggy #1388

catamphetamine opened this issue Feb 1, 2022 · 5 comments

Comments

@catamphetamine
Copy link

catamphetamine commented Feb 1, 2022
edited
Loading

  1. Returns an "Invalid" API Key from generateSecuredApiKey(key, {}) called with empty options argument.

When that function is called with {} as the options argument, it returns some API key.
When later querying anything using that generated API key on the front end, it returns error:

{"message":"Invalid API key","status":403}
  1. Throws TypeError: Cannot convert undefined or null to object when no options passed.

When generateSecuredApiKey(key, {}) function is called without the second ("options") argument, it throws:

TypeError: Cannot convert undefined or null to object
    at Function.keys (<anonymous>)
    at Object.serializeQueryParameters (c:\dev\server-lib\node_modules\@algolia\transporter\dist\transporter.cjs.js:391:19)
    at Object.generateSecuredApiKey (c:\dev\server-lib\node_modules\@algolia\client-search\dist\client-search.cjs.js:264:45)
    at Object.lib.generateAlgoliaApiKey (file:///c:/dev/server-lib/lib/algolia.js:25:30)
    at Object.generateStudentAppCourseSearchApiKey (file:///c:/dev/ASP-API/helpers/algolia/createStudentCourseIndexes.js:237:21)
    at Object.<anonymous> (file:///c:/dev/scripts/js/updateAlgoliaCourses.js:40:78)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)

https://discourse.algolia.com/t/ivalid-api-key-when-passed-a-perfectly-valid-key/14419

  1. When a "secured API key" is generated with perfectly valid comma-separated restrictIndices, such key returns an error when used for querying on front end:
{"message":"Invalid Application-ID or API key","status":403}

When a "secured API key" is generated using the same code but with restrictIndices being "*", it doesn't throw any errors.

We've narrowed that issue down to Algolia failing when there're more than a few index names enumerated in restrictIndices.
For example, in our case, we use index name prefixes with wildcards in restrictIndices.
If we add 4 index name prefixes, it stops working.
But when we add, for example, just 2 index name prefixes, and a wildcard ("*"), it works.
@HubertRyanOfficial
Copy link

Hey catam, are you using the admin key?

@catamphetamine
Copy link
Author

We attempted using a "Search Only Key" but it didn't work.
It only worked when used with the same "API" key the client is initialized with.

@catamphetamine
Copy link
Author

@HubertRyanOfficial I have tested generating "secure API key" using a "Search Only Key" and the bugs are the same.

@catamphetamine catamphetamine changed the title "Invalid API Key" and TypeError: Cannot convert undefined or null to object "Secure API keys" are buggy Feb 1, 2022
@catamphetamine
Copy link
Author

We've found the cause for the 3rd issue: the SQL database field was declared as VARCHAR 255 and it truncated all keys to that value, and that's why it was saying Invalid Application-ID or API key. We've changed that field type to TEXT and it fixed issue 3.

Issues 1 and 2 are still observed after fixing the truncation of the API key.

@HubertRyanOfficial
Copy link

@catamphetamine Yeah, I got it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@catamphetamine @HubertRyanOfficial