#community-help

Issues with Generating Scope API Keys in Python

TLDR Danny had issues generating a valid scope API key in a Python GraphQL server. Jason suggested encoding changes and confirmed that the key length varies. Issue unresolved with Python, although JS library worked.

Powered by Struct AI
Jun 09, 2022 (17 months ago)
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
04:27 PM
hello can you help me, I am generating scope api keys with excluded fields, this process I do it in a graphql server in python that sends it to a frontend to be used in the client with instant-search, but the api key that generates me is not valid and has this format
b'YVZidxxxxxxxx4MDk4fQ=='"
try deleting the weird fields like the b, the single quotes and the equals signs, but it still gives me an error.
I was guided by this documentation
https://typesense.org/docs/0.23.0/api/api-keys.html#generate-scoped-search-key
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
04:33 PM
That sounds strange. Could you post a post a code snippet that replicates the issue?
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
04:37 PM
of cuourse this is the code
class TypesenseService(TypeSenseBase):

    def __init__(self):
        super().__init__()
        self.__search_api_key = TYPESENSE_ADMIN_API_KEY

    def get_api_key_limited_by_configuration(self, configuration):
        result = self.typesense_client.keys.generate_scoped_search_key(self.__search_api_key, configuration)
        return result

04:38
Danny
04:38 PM
i use this configuration
{
    "exclude_fields": "person",
    "expires_at": expiration_date
}

04:45
Danny
04:45 PM
and this is my configuration of typesense client
class TypeSenseBase(object):
    typesense_client = None

    def __init__(self):
        self.typesense_client = typesense.Client({
            'nodes': [{
                'host': TYPESENSE_HOST,
                'port': TYPESENSE_PORT,
                'protocol': 'http'
            }],
            'api_key': TYPESENSE_ADMIN_API_KEY,
            'connection_timeout_seconds': 2
        })

Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
04:48 PM
On a side note, you want to use a search-only api key (not the admin key) to generate the scoped search api key
04:49
Jason
04:49 PM
Could you print the value of result and see what it shows you server-side?
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
04:50 PM
I changed to the ADMIN-API-KEY because I didn't know if it was that but I generated the api key with the SEARCH-API-KEY and the error is the same.
04:54
Danny
04:54 PM
b'K0lNZnpzVDFnbHdFWjdBYy9LYmZVK293LzcwWlBBNklEYmU3OGcvRHlDTT1JdHB4eyJleGNsdWRlX2ZpZWxkcyI6ICJwZXJzb24iLCAiZXhwaXJlc19hdCI6IDE2NTQ4ODAwNTQuODUyNzk0fQ=='
04:55
Danny
04:55 PM
this the result value
04:56
Danny
04:56 PM
and i change generate this with the SEARCH-API-KEY
05:45
Danny
05:45 PM
the frontend send this api-key b%27Y21rWnlsUE1tbGxMckRWV1ZmZGczeTVUNFRGcEROOFhBc05uQm5KOXFyUT1JdHB4eyJmaWx0ZXJfYnkiOiAiYWNjZXNzaWJsZVRvQ29tcGFueUlkczokMTIzMzMiLCAiZXhwaXJlc19hdCI6IDE2NTQ4ODI5MTMuMTQyMzE4fQ%3D%3D%27
and use this name x-typesense-api-key
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
05:56 PM
Hmm, I'm not too familiar with Python, but I suspect there's some string encoding issue going on. Kishore Nallan any thoughts on this ^
06:05
Jason
06:05 PM
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
06:13 PM
aaaa ok this service return bytes ???
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
06:15 PM
Looks like it... Let me know if the StackOverflow answer works, may be we should update the library to return a string, it could have also been a recent change that broke the return type.
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
06:17 PM
now return without b' but the ==sign still continue and the frontend still showing this error message
message: "Forbidden - a valid x-typesense-api-key header must be sent."
06:18
Danny
06:18 PM
i will try to do this with typescript maybe it can be the python library
06:20
Danny
06:20 PM
I have this result with python library and making decode in the string c1JGZGRVdmJMeDFSVzNKSytYUlZ4YU1SbnRMNXhMQzVSRlZQajBzaVViOD1JdHB4eyJleGNsdWRlX2ZpZWxkcyI6ICJwZXJzb24iLCAiZXhwaXJlc19hdCI6IDE2NTQ4ODQ4MTEuNzgxMjMxfQ==
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
06:24 PM
Could you try result.decode('utf-8')?
06:24
Jason
06:24 PM
(Btw, the = sign at the end is ok)
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
06:35 PM
no I keep getting the same error
06:36
Danny
06:36 PM
the length of the api key thats correct ???
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
06:48 PM
The scoped API key length will vary based on the embedded params, so there's no fixed length
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
06:51 PM
i should set something configuration in typesense cloud ???
06:52
Danny
06:52 PM
beacuse i generate a new key with the typescritp client and get this api key
a09YSmRHZHcrVWl2eXA3clVCTWtLbVZvdnpCTEJUcHFSWXdhWTRMMFkwcz1JdHB4eyJleGNsdWRlX2ZpZWxkcyI6InBlcnNvbiIsImV4cGlyZXNfYXQiOjE2NTQ4ODU1NDJ9
but I still have the same error
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
06:54 PM
Are you on Typesense Cloud or are you self-hosting Typesense?
06:55
Jason
06:55 PM
The Typesense logs should have more information. If you're on Typesense Cloud, if you can DM me your cluster ID, I can check for you
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
06:56 PM
I use Typesense Cloud
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:00 PM
Found the issue in the logs:

Parent key does not allow queries against queried collection. Key prefix: Itpx
07:01
Jason
07:01 PM
I also see this:

Scoped API keys can only be used for searches.
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
07:06 PM
i can show the logs in typesense cloud ???
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:09 PM
No... Usually logs are mainly useful for managing Typesense infrastructure, so we don't expose it and the API response shows all the errors. In this case, we don't show specific auth errors in the API response for security reasons.
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
07:14 PM
ok i understand perfectly, well i will check the documentation and my code maybe i am doing something wrong. thank you very much for everything.
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:17 PM
You want to make sure the parent search API key you're using has permissions to search through this particular collection
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
07:22 PM
i use the search only api key generated by typesense cloud
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:22 PM
Hmmm, that has permissions to search through all collections
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
07:22 PM
and this api key can acces to this collections [ "*" ]
07:23
Danny
07:23 PM
yes, that's why I don't know what's wrong
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:27 PM
Could you DM me the exact JS code snippet you used to generate the scoped API key (along with the API Keys) and the code snippet you used to generate the search request? I can then run it locally to see what's going on.

You can rotate the API Keys you share with me once we finish debugging.
Danny
Photo of md5-7cbfa86cff2f773b5dcbeba890c1227a
Danny
07:27 PM
ok
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:59 PM
Summary: this worked with the JS library, but not the Python library for some reason.

CC: Kishore Nallan