Allow not only indexName but also full url (when working with reverse proxy)

[xorock]

Hi.
Although the indexName value fits perfectly with the idea of meilisearch indexes it is not quite safe. The prepared URL requires opening access directly to http://ms:7700/. It is much safer to prepare the address under a server's reverse proxy that contains only the needed index.

location /movies-index {
        [...]
        proxy_pass  http://ms:7700/indexes/movies/search/;
    }

What do you think about the proposal to make the indexName value take the name of the index or the full URL. Or the second option - introduce a new value and one of the two must be required.

[bidoubiwa]

When you create your client

const client = instantMeilisearch("http://ms:7700/. "apiKey")

It is not doing any requests to the server.
instant-meilisearch is only going to request on the route: http://ms:7700/indexes/movies/search/ whenever you start searching.

Since it is only using this route, you do not need to open direct access to http://ms:7700/ i suppose.

Why do you think it is insecure to let the other routes be public?

[xorock]

If I allow access directly to the root address / many bad things can happen. Bad permissions can be given, not only search but also delete. Index settings can be read. If the developer makes a mistake and uses the admin key by accident, full access to everything is opened. Through a bug in MS that doesn't exist yet, maybe attacker can get access to the machine etc.
If possible, access should be restricted at every stage and the current implementation does not allow it (unless I am not aware of something).

[bidoubiwa]

I understand your concern! I think this should be moved to the product repository. It's definitely something that should be discussed :)