Secure API Key Inheritance with similar parameter



Hi, so I have the following situation. I have an index of orders and each order has a locationId associated with it. In my own DB I have a user table and each user has an array of locationIds since they move from location to location every now and then.

I need to lock down the order index so a user can only search within their approved locations. I think that’s simple enough using secure api keys, and generating a new key when the user logs in using the array of locations as the filter properties in the key.

However, a user will only ever be at a single location at a time, so I want to filter the result set even further. This is where I’m wondering if the inheritance will work for the secure api keys.

For example the secure api key would be filtered for results with locationId in [loc1, loc2, loc3].
Could I then add a filter on the front end saying, filter results to only be in loc1? Or would this inheritance be ignored because its the same sort of action, i.e. filter?

Is there a better way to do this?


Hi @adam-t-b,

This is perfectly okay! It will not conflict and should work as you expect.

If you create a securedApiKey with filters for the user, this example below will return results for location_id:1 or location_id:2 or location_id:3:

var secureKey = client.generateSecuredApiKey(
    filters: 'location_id:1 OR location_id:2 OR location_id:3' // some filters

Then if you later on another filter on the front-end, it will further reduce the results to only results with location_id:1:

var secureClient = algoliasearch('myAppId', secureKey);
var secureIndex = secureClient.initIndex('my_locations_index');{
  query: '',
  filters: 'location_id:1' // another filter
}, function searchCallback(err, content) {
  if (err) throw err;

  console.log(JSON.stringify(content, undefined, 2));

I think this is what you’re describing. It should work :ok_hand:


Amazing. So far I love Algolia and wish I had found it sooner. Thanks so much helping me out!