Impossible to add SearX as search engine if the app is private
Closed this issue · 12 comments
I just installed SearX on my server, telling Yunohost to put it behind the SSO.
I then tried to add this search engine in Firefox and got an error.
I managed to bypass this by adding
search.myserver.fr/opensearch.xml
in the skipped_urls of /etc/ssowat/conf.json
This could be done at installation time.
This is not related to error in packaging. This is default behavior of any app which is behind SSO. You can tweak the apps as you described, but these are hard to implement while installation because there are many more this kind of user customization that would be possible and making an option for each one at the time of installation would not be possible.
I thought this was an issue as this kind of behavior is done for example in FreshRSS where API endpoints are always public even if the instance itself is behind the SSO.
Same thing for Lutim where the interface is protected, but links for the images are public.
If you login to the SSO and even then you are not able to add Searx to the Firefox search panel then this can be an issue. I have not tried Searx behind SSO in my case so I really don't have idea if this would compromise Searx being behind SSO.
Maybe other core app developers have there point of view here.
Yes, I was logged in the SSO and was able to do some searchs.
It seems that the call to the xml is done in another sandbox, or something like this.
The only problem I see with making this url public is that a web crawler trying /opensearch.xml
on all domains can find that there is a SearX instance there (but can not do searchs on it)
The thing is, if your searx is private but /opensearch.xml isn't for your firefox. What will prevent me or anyone else to use that same address on his firefox ?
Which means that your searx will no longer be fully private.
So, it could be an option, but not the default behavior.
I don't know how FreshRSS is working, but usually an API is using a key or something like that to restrict the access.
There's no such thing for searx.
So, this possibility could be added later with the config-panel feature.
opensearch.xml is not the url used for searchs, it is just the descriptor of the search engine.
Depending on how you configured your parameters in your cookies in searx, it will contain either
<Url type="text/html" method="get" template="https://search.myserver.fr/search?q={searchTerms}"/>
or
<Url type="text/html" method="post" template="https://search.myserver.fr/"><Param name="q" value="{searchTerms}"/></Url>
(plus the description of the search engine, url to favicon, and autocomplete)
So the search engine is not public even if the descriptor is.
And for FreshRSS, that's true, the API require a key.
For Lutim (image sharing), the images are public, but the interface to upload them is private.
If you want I can send you the full url of my SearX instance for tests.
I managed to bypass this by adding
search.myserver.fr/opensearch.xml
in the skipped_urls of /etc/ssowat/conf.jsonThis could be done at installation time.
I second that.
Thanks for pointing out a solution.
I am guessing adding a line like that in the install script would do the trick
ynh_app_setting_set searx skipped_uris "/opensearch.xmp"
The following, in a terminal, does work:
sudo yunohost app setting searx skipped_uris -v "/opensearch.xml"
sudo yunohost app ssowatconf
Has it been done? Can we close this issue then?
Well it still needs to be done manually. I didn't try to update the install script.
Just leaving a message because i have the same need :)
tested with 1.0.0~ynh5
and working