#community-help

Generate Multiple Scoped Search Keys with Typesense

TLDR Kian inquired if many scoped search keys could be generated for each user and prevent access to indexes unrelated to each user. Kishore Nallan confirmed this and explained filtering by 'user_id' in the API key would restrict record access.

Powered by Struct AI

1

10
12mo
Solved
Join the chat
Oct 14, 2022 (12 months ago)
Kian
Photo of md5-9dbff87b399a957ba84b7d995b4dd9de
Kian
11:39 AM
Hi,

How many scoped search key I can generate for an instance of Typesense in principle? would it be possible to have one for each user in our platform?

(I am trying to find out whether I can configure individual access role to certain indexes, not based on being part of a group like admin and also not being part of an organization like the scenario for multi-tenancy)
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
11:52 AM
Scoped API key is generated client side and is nothing but a key with a filter_by embedded inside it that's derived from a base key. So you can create as many scoped api keys as you want.
Kian
Photo of md5-9dbff87b399a957ba84b7d995b4dd9de
Kian
12:02 PM
Thank you,

So assuming User A should only see index 1 and User B should only see index 2

Using this custom API key with embedded filter_by , User B still can run the query based on index 1 and get it right?

No way to prevent access to the index 1 from other users besides User A via API keys?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:12 PM
When you mean by index, do you mean a collection?
12:13
Kishore Nallan
12:13 PM
You can have a field called "user_id" in all the documents in your collection and then by creating a scoped API key with filter_by=user_id:100 clause you ensure that the API key will always be restricted to that user records.
Kian
Photo of md5-9dbff87b399a957ba84b7d995b4dd9de
Kian
01:21 PM
Kishore Nallan Sorry for being vague here, I meant Document when I said index.
01:22
Kian
01:22 PM
but let’s say in theory if I know the id of that user (100 ) and I am user 99 I can still build a query to filter_by user_id:100 and get the results back correct?
01:24
Kian
01:24 PM
I do not need the above API key to get the result for another user, I can construct the query to in such a way to get that back even with my own API key which let’s say has the filtered_by:99 embedded in it?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:27 PM
If user id 99 tries to filter on user id 100 by constructing a filter by that way, it won't work because the filter by embedded inside the key will always take precedence.

1

Oct 17, 2022 (12 months ago)
Kian
Photo of md5-9dbff87b399a957ba84b7d995b4dd9de
Kian
07:03 AM
Thank you!