Contrib.social

Use Read-Only Typesense API Key for Search Queries

Open on Drupal.org →
Created on 5 August 2025, 12 days ago

Problem/Motivation

Currently, the Typesense admin key is being used in the search block.
This creates a potential security risk since the admin key grants full access,
including destructive actions (such as deleting collections or documents).

Proposed resolution

Generate and use a read-only API key for search queries instead of the admin key.
This can be done by running a sidecar container responsible for creating the key
and storing it for the search service.

**Use a Sidecar Container):**

services:
  typesense:
    # ... existing config (unchanged) ...

  typesense-key-manager:
    image: curlimages/curl:latest
    container_name: ddev-${DDEV_SITENAME}-typesense-key-manager
    depends_on:
      - typesense
    networks: [default, ddev_default]
    volumes:
      - "typesense:/shared"
    command: >
      sh -c "
        echo 'Waiting for Typesense to be ready...'
        until curl -s 'http://typesense:8108/health' > /dev/null; do
          sleep 2
        done
        
        echo 'Creating read-only API key...'
        RESPONSE=$$(curl -s -X POST 'http://typesense:8108/keys' \
          -H 'X-TYPESENSE-API-KEY: ${TYPESENSE_API_KEY:-ddev}' \
          -H 'Content-Type: application/json' \
          -d '{
            \"description\": \"Read-only key for document search\",
            \"actions\": [\"documents:search\"],
            \"collections\": [\"*\"]
          }')
        
        READONLY_KEY=$$(echo \"$$RESPONSE\" | grep -o '\"value\":\"[^\"]*' | cut -d'\"' -f4)
        echo \"$$READONLY_KEY\" > /shared/readonly-api-key.txt
        echo 'Read-only API key stored in /shared/readonly-api-key.txt'
        
        # Keep container running
        tail -f /dev/null
      "
    restart: "no"

Remaining tasks

  • Implement the sidecar container for Typesense key management.
  • Test the creation of the read-only API key.
  • Update the search block configuration to use the new read-only key.
  • Ensure the key is securely mounted/accessible where needed.
  • Add documentation on how the read-only key is generated and used.
Feature request
Status

Active

Version

1.0

Component

Code

Created by

🇮🇹Italy robertoperuzzo 🇮🇹 Tezze sul Brenta, VI

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024