Algolia安全密钥管理指南

v20260423

algolia-security-basics

本指南详细讲解了Algolia的安全最佳实践，重点涵盖了作用域API密钥的应用。它指导开发者如何实现前后端密钥分离、遵循最小权限原则（Least Privilege），并通过生成有时效性、可过滤的密钥实现用户级数据安全。内容还包括了完整的密钥轮换流程，确保生产环境的系统安全。

Algolia 安全 API密钥后端前端最佳实践密钥轮换

获取技能

383 次下载

概览

Algolia Security Basics

Overview

Algolia's security model is built around scoped API keys. Every Algolia app has three default keys (Admin, Search-Only, Monitoring). For production, create custom keys with minimal permissions and use Secured API Keys for per-user/per-tenant restrictions.

Key Types and Where to Use Them

Key Type	ACL	Expose to Frontend?	Use Case
Admin	All operations	NEVER	Backend indexing, settings, key management
Search-Only	`search` only	Yes (safe)	Frontend search widgets
Monitoring	Read monitoring data	No	Health checks, dashboards
Custom	You define ACL	Depends on ACL	Scoped backend services
Secured	Derived from parent key	Yes	Per-user filtered search

Instructions

Step 1: Environment Variable Setup

# .env (NEVER commit — add to .gitignore)
ALGOLIA_APP_ID=YourApplicationID
ALGOLIA_ADMIN_KEY=admin_api_key_here        # Backend only
ALGOLIA_SEARCH_KEY=search_only_key_here     # OK for frontend

# .gitignore — MUST include:
.env
.env.local
.env.*.local

Step 2: Create Scoped API Keys

import { algoliasearch } from 'algoliasearch';

const client = algoliasearch(process.env.ALGOLIA_APP_ID!, process.env.ALGOLIA_ADMIN_KEY!);

// Create a write-only key for a specific microservice
const { key: indexingKey } = await client.addApiKey({
  apiKey: {
    acl: ['addObject', 'deleteObject', 'editSettings'],
    description: 'Product sync service — write only',
    indexes: ['products', 'products_staging'],  // Restrict to specific indices
    maxQueriesPerIPPerHour: 5000,
    referers: [],  // Empty = no referer restriction (backend use)
  },
});

// Create a search key restricted to specific referers (frontend)
const { key: frontendKey } = await client.addApiKey({
  apiKey: {
    acl: ['search'],
    description: 'Frontend search — domain-restricted',
    indexes: ['products'],
    referers: ['https://mystore.com/*', 'https://*.mystore.com/*'],
    maxQueriesPerIPPerHour: 1000,
    maxHitsPerQuery: 50,
  },
});

Step 3: Generate Secured API Keys (Per-User Filtering)

// Secured API keys are generated on YOUR server, not via Algolia API.
// They embed restrictions that the client can't bypass.

function generateUserSearchKey(userId: string, tenantId: string): string {
  const client = algoliasearch(process.env.ALGOLIA_APP_ID!, process.env.ALGOLIA_ADMIN_KEY!);

  return client.generateSecuredApiKey({
    parentApiKey: process.env.ALGOLIA_SEARCH_KEY!,
    restrictions: {
      // User can only see their tenant's data
      filters: `tenant_id:${tenantId}`,
      // Key expires in 1 hour
      validUntil: Math.floor(Date.now() / 1000) + 3600,
      // Restrict to specific indices
      restrictIndices: ['products'],
      // Optional: restrict sources (IPs)
      restrictSources: '',
    },
  });
}

// Usage in your API endpoint:
// const userKey = generateUserSearchKey(req.user.id, req.user.tenantId);
// return { appId: process.env.ALGOLIA_APP_ID, searchKey: userKey };

Step 4: Key Rotation Procedure

async function rotateApiKey(oldKeyDescription: string) {
  const client = algoliasearch(process.env.ALGOLIA_APP_ID!, process.env.ALGOLIA_ADMIN_KEY!);

  // 1. List keys to find the old one
  const { keys } = await client.listApiKeys();
  const oldKey = keys.find(k => k.description === oldKeyDescription);
  if (!oldKey) throw new Error(`Key not found: ${oldKeyDescription}`);

  // 2. Create new key with same ACL
  const { key: newKey } = await client.addApiKey({
    apiKey: {
      acl: oldKey.acl,
      description: `${oldKeyDescription} (rotated ${new Date().toISOString().split('T')[0]})`,
      indexes: oldKey.indexes || [],
      maxQueriesPerIPPerHour: oldKey.maxQueriesPerIPPerHour || 0,
      referers: oldKey.referers || [],
    },
  });

  console.log(`New key created: ...${newKey.slice(-8)}`);
  console.log('Update your env vars, then delete the old key:');
  console.log(`  client.deleteApiKey({ key: '${oldKey.value}' })`);

  return newKey;
}

Security Checklist

Admin key in env vars, never in frontend code or git
.env files in .gitignore
Frontend uses Search-Only or Secured API key
Custom keys have minimal ACL (least privilege)
referers set on frontend keys to prevent abuse
maxQueriesPerIPPerHour set on all public keys
Secured API keys have validUntil (expiration)
Key rotation scheduled quarterly
Git history scanned for accidentally committed keys

Error Handling

Security Issue	Detection	Mitigation
Admin key exposed in frontend	Code review, git scanning	Rotate immediately, restrict referers
Key in git history	`git log -S 'ALGOLIA'`	Rotate key, use git-secrets or gitleaks
Excessive ACL on key	Audit key permissions	Create scoped replacement key
Expired secured key	`validUntil` in the past	Generate fresh secured key

Resources

Next Steps

For production deployment, see algolia-prod-checklist.

信息

Category 编程开发

Name algolia-security-basics

版本 v20260423

大小 5.83KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-26