"Secure API keys" are buggy

(I have created this thread previously but it has been deleted from this website by the system, so I re-created it)

We’re using the official Node.js client.

  1. Returns an “Invalid” API Key from generateSecuredApiKey(key, {}) called with empty options argument.

When that function is called with {} as the options argument, it returns some API key.
When later querying anything using that generated API key on the front end, it returns error:

{"message":"Invalid API key","status":403}
  1. Throws TypeError: Cannot convert undefined or null to object when no options passed.

When generateSecuredApiKey(key, {}) function is called without the second (“options”) argument, it throws:

TypeError: Cannot convert undefined or null to object
    at Function.keys (<anonymous>)
    at Object.serializeQueryParameters (c:\dev\server-lib\node_modules\@algolia\transporter\dist\transporter.cjs.js:391:19)
    at Object.generateSecuredApiKey (c:\dev\server-lib\node_modules\@algolia\client-search\dist\client-search.cjs.js:264:45)
    at Object.lib.generateAlgoliaApiKey (file:///c:/dev/server-lib/lib/algolia.js:25:30)
    at Object.generateStudentAppCourseSearchApiKey (file:///c:/dev/ASP-API/helpers/algolia/createStudentCourseIndexes.js:237:21)
    at Object.<anonymous> (file:///c:/dev/scripts/js/updateAlgoliaCourses.js:40:78)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
  1. When a “secured API key” is generated with perfectly valid comma-separated restrictIndices, such key returns an error when used for querying on front end:
{"message":"Invalid Application-ID or API key","status":403}

When a “secured API key” is generated using the same code but with restrictIndices being "*", it doesn’t throw any errors.

We’ve narrowed that issue down to Algolia failing when there’re more than a few index names enumerated in restrictIndices.
For example, in our case, we use index name prefixes with wildcards in restrictIndices.
If we add 4 index name prefixes, it stops working.
But when we add, for example, just 2 index name prefixes, and a wildcard ("*"), it works.

Issue number in algoliasearch-client-javascript repo is 1388.




We’ve found the cause for the 3rd issue: the SQL database field was declared as VARCHAR 255 and it truncated all keys to that value, and that’s why it was saying Invalid Application-ID or API key. We’ve changed that field type to TEXT and it fixed issue 3.

Issues 1 and 2 are still observed after fixing the truncation of the API key.