I have my records stored in the Algolia index having a userID attribute associated with each. I want to perform a search such that the records visible to the user will be filtered such that the userIDs match. I can easily do this on the frontend using the instantsearch library and the userID stored in localStorage.
Problem with passing userID on the frontend
Anyone using the client can manipulate the Algolia request with different userIDs that will filter results relevant to those IDs. A security issue here. But as Algolia mentioned here frontend search can be upto 10x faster.
Solution using backend search
Can implement this such that a normal HTTP request is send to the backend with the relevant search parameters and filters and adding the userID in the backend. After that doing the search in the backend and sending the data back to the frontend using a HTTP response. Slower since it has go through multiple servers just to add the userID.
Question
I want to know if there is a still a workaround for this using frontend search and preserving security since speed is also important. I'm new to using Algolia and still not fully aware of what it is capable of.
Thanks.
There is a baked-in way to add user-based security for record access control.
You need to generate ephemeral API keys with filters hard coded. The end user cannot alter those filters to get around the security. When a user comes through your login flow, the backend generates this key with the appropriate filters (e.g. 'filters' => visible_by:group/'.$currentGroupId.' OR visible_by:group/Everybody' and passes it to the front end in places of the search-only API key.
Your records will need to include a matching attribute for the filter (visible_by in this case) with the appropriate values.
You can read more about it here:https://www.algolia.com/doc/guides/security/api-keys/how-to/user-restricted-access-to-data/#generating-a-secured-api-key