Gravatar for maheshbpatil@gmail.com

Question by Mahesh Patil, Jan 9, 2017 8:44 AM

Recommendation Event tracking using search token

Hi, I have a Coveo cloud instance (V1) with all our content indexed. I am implementing page view event tracking on one of our web application's pages which is getting crawled. I saw a code sample at https://onlinehelp.coveo.com/en/cloud/coveo_machine_learning_recommendations_complete_code_sample.htm .

But, I see a risk of exposing API key on a client side script.

coveoua('init',**ApiKey**);
      coveoua('send','pageview',{
        contentIdKey: fieldName,
        contentIdValue: fieldValue,
        contentType: itemType
      });
      // Initialize the Coveo Recommendation component with your Coveo Cloud V1 organization
      document.addEventListener('DOMContentLoaded', function(){
        Coveo.SearchEndpoint.configureCloudEndpoint(orgName, **apiKey**, endPointURI);
        Coveo.initRecommendation(recommendationElement);
      })

Can any one brief me about the risks and what and all one can exploit by making use of this key? Also, to avoid this, I heard we can use search token instead which will have a short life span and minimize the risk. can anyone share sample implementation script?

Thanks

Mahesh Patil

1 Reply
Gravatar for flguillemette@coveo.com

Answer by François Lachance-Guillemette, Jan 9, 2017 10:58 AM

You could create a small server-side service that can generate a search token using the API key in the background.

This approach is pretty simple and most likely covers your use case.

fetch("myserver:3000/token").then(function(reponse) {
    var token = // get token from response
    coveoua("init", token, endPointUri);
});

Keep in mind that while the search token expires and is more secure than having your API key directly in your code, nothing stops a user to directly call this endpoint, so you might need to add some security by yourself on these calls.

More details about this approach can be found in the JavaScript Tutorial here, as they also apply to the coveoua module.


There is also a second approach, which I think is harder but also more flexible. This is the approach we took for Coveo for Sitecore 4, so here is the big picture in how we manage the analytics events.

We have a proxy service that is configured with the API key to return search tokens. This requires you to run your own server-side service that can redirect every request sent to the proxy's analytics endpoint. Say your proxy runs at myserver:3000/coveoanalytics, you need to configure your endpoint with this URI in your coveoua call as the third parameter like so:

coveoua("init", "", "http://myserver:3000/coveoanalytics")

Our proxy then asks for a search token and inject it in the request headers like done with the API key in the coveoua module. You can check in the Network tab in Chrome/Firefox Developer Console to see how it is added and replicate this behavior in your proxy. You should also add some security to limit which users can pass through the proxy.

This approach lets us handle most of the parameters directly from Sitecore's configuration files instead of passing this information to the client, and lets us use Sitecore's security model for authentication.

It is more complicated to set up, but I wanted to put the information here since you may already have a proxy that can be adapted for this use case.

Hope this was of help! :)

FLG

Gravatar for maheshbpatil@gmail.com

Comment by Mahesh Patil, Jan 10, 2017 2:55 AM

Thank you for the quick response FLG. Though I am not a hardcover Coveo developer, but will give a try with the approach you mentioned. :-)

Ask a question