docs: Add Orama Search #202
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
WalkthroughThis pull request removes a sensitive cryptographic key from the development environment file and introduces new environment variables for the Orama cloud service. It also updates the Astro configuration to validate these new variables and integrates a new search component that leverages Orama’s web components. Additionally, the build script and TypeScript configuration are modified, and the Turbo build system is updated to pass through the specified environment variables. Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant SearchComponent
participant MutationObserver
User->>SearchComponent: Load search component
SearchComponent->>SearchComponent: Initialize component and call updateSearchTheme
SearchComponent->>MutationObserver: Start observing document attribute changes
Note over MutationObserver: Wait for theme attribute changes
MutationObserver->>SearchComponent: Notify updateSearchTheme on change
SearchComponent->>SearchComponent: Update theme accordingly
Possibly related PRs
Suggested labels
Suggested reviewers
Poem
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 120000ms (2)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (6)
docs/src/utils/search.ts (3)
31-31: Avoid usinganytype for PostHog.The
anytype forposthogreduces type safety. Consider using a more specific type from PostHog's type definitions.- posthog: any; + posthog: import('posthog-js').PostHog;
39-40: Remove TODO comments and console.log statements.These debug logs should be removed before merging to production.
- // TODO: remove this console.log - console.log('Identifying user with Cookie ID:', userId); + client.identify(userId); - // TODO: remove this console.log - console.log('Identifying session with PostHog:', window.posthog.get_distinct_id()); + client.alias(window.posthog.get_distinct_id());Also applies to: 43-44
48-48: Enhance error logging.The current error logging could be more informative. Consider using
console.errorand including the error stack trace.- console.log(`Error setting identity: ${error}`); + console.error('Error setting identity:', error instanceof Error ? error : new Error(String(error)));docs/src/components/Search.astro (3)
8-8: Remove debug console.log.Debug logging should be removed before production deployment.
-console.log('Redering custom search');Note: There's also a typo in 'Redering' (should be 'Rendering').
50-51: Avoid type assertion withany.Using
as anybypasses TypeScript's type checking. Consider using a proper type for the color scheme.- if (button) button.colorScheme = theme as any; - if (box) box.colorScheme = theme as any; + type ColorScheme = 'light' | 'dark'; + if (button) button.colorScheme = theme as ColorScheme; + if (box) box.colorScheme = theme as ColorScheme;
36-36: Update placeholder text.The chat placeholder text refers to "Inox Tools" but the chat functionality is disabled (
disableChat: true). Consider removing this placeholder since chat is disabled.- chatPlaceholder: 'What do you dream of doing with Inox Tools?',
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (6)
docs/.env.development(1 hunks)docs/astro.config.ts(4 hunks)docs/package.json(1 hunks)docs/src/components/Search.astro(1 hunks)docs/src/utils/search.ts(1 hunks)docs/tsconfig.json(1 hunks)
✅ Files skipped from review due to trivial changes (1)
- docs/package.json
🔇 Additional comments (3)
docs/astro.config.ts (1)
153-162: Review security implications of exposing API key to client.The Orama Cloud API key is marked as
access: 'public'and exposed to the client. This could pose a security risk if the API key has broad permissions.Please verify:
- That this API key has limited scope and is specifically intended for client-side usage
- That rate limiting is properly configured on the Orama Cloud side
❌ Verification inconclusive
🌐 Web query:
What are the security best practices for using Orama Cloud API keys in client-side applications?💡 Result:
When using Orama Cloud API keys in client-side applications, implementing robust security measures is critical to prevent unauthorized access and data breaches. Here are the key best practices:
1. Avoid Direct Client-Side Exposure
- Never embed API keys in frontend code or expose them in URLs where they can be intercepted[1][3][6]. Instead:
- Use Orama's Secure Proxy to safely handle third-party API calls (like OpenAI embeddings) without exposing credentials[10]
- Implement server-side authentication layers that add API keys to requests before forwarding them[1][3]
2. Implement Secure Transmission
- Enforce HTTPS for all API communications to encrypt data in transit[1][7]
- Use
x-goog-api-keyheaders instead of query parameters when integrating with Google APIs[3]3. Key Management Best Practices
- Rotate API keys regularly (every 90 days or sooner) using automated tools[1][4]
- Delete unused keys through Orama Cloud's developer tools dashboard[2][5]
- Store production keys securely using encrypted environment variables[4][7]
4. Access Control & Monitoring
- Apply least-privilege permissions in Orama Cloud:
- Restrict indexes each key can access[2]
- Limit operations (read-only vs write)[1][4]
- Enable real-time usage monitoring with:
- Rate limiting (requests/minute)[1]
- Anomaly detection alerts[1][7]
5. Client-Side Specific Protections
// Proper browser implementation with user identification import { OramaClient } from "@oramacloud/client"; const client = new OramaClient({ endpoint: "<CLOUD_ENDPOINT>", api_key: "<PUBLIC_API_KEY>" // Use PUBLIC key type from dashboard }); // Identify users securely client.identify("USER_ID"); client.reset(); // On logout[8]
- Use public API key type instead of private keys for frontend operations[8]
- Implement user-level rate limiting through Orama's Secure Proxy configuration[10]
6. Architectural Security
- Combine with multi-factor authentication for admin access[7]
- Maintain audit logs of all API key activities[1][3]
- Use automated vulnerability scanning for dependencies like @oramacloud/client[8]
By following these practices while leveraging Orama Cloud's built-in security features like secure proxies and granular permission controls, developers can maintain strong security without compromising application functionality. Regular audits and team training on credential handling further reduce human error risks[1][5].
Citations:
- 1: https://www.legitsecurity.com/blog/api-key-security-best-practices
- 2: https://docs.orama.com/cloud/data-sources/custom-integrations/rest-apis
- 3: https://cloud.google.com/docs/authentication/api-keys-best-practices
- 4: https://blog.pixelfreestudio.com/best-practices-for-secure-api-key-management/
- 5: https://github.com/oramasearch/orama-plugin-strapi
- 6: https://42crunch.com/token-management-best-practices/
- 7: https://orca.security/resources/blog/what-is-api-security/
- 8: https://www.npmjs.com/package/@oramacloud/client
- 9: https://fastify.dev/ecosystem/
- 10: https://docs.orama.com/cloud/orama-ai/orama-secure-proxy
Security Verification: Public API Key Exposure and Rate Limiting
- The configuration in
docs/astro.config.tsdesignates the Orama Cloud API key withaccess: 'public'andcontext: 'client', which indicates it’s intended for client-side usage.- According to Orama Cloud best practices, a public API key should be limited to non-sensitive, client-facing operations. It’s important to confirm on your Orama Cloud dashboard that the key’s permissions are indeed restricted (e.g., read-only or limited to specific indexes).
- Additionally, ensure that rate limiting (or any equivalent abuse-mitigation settings) is properly configured on the Orama Cloud side—typically via secure proxy settings or dedicated dashboard configurations—to protect against potential misuse.
Please verify on the Orama Cloud settings that these conditions are met.
docs/.env.development (1)
3-3: LGTM! Good security practice.Removing the cryptographic key from the development environment file is a good security practice.
docs/tsconfig.json (1)
9-10: LGTM! Proper configuration for React JSX support.The added compiler options correctly enable the modern JSX transform with React as the source, which is necessary for using React-based components like Orama Search.
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
docs/.env.development(1 hunks)docs/package.json(2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- docs/package.json
⏰ Context from checks skipped due to timeout of 120000ms (1)
- GitHub Check: E2E test
Summary by CodeRabbit
New Features
Chores