Help Center

Menu

Plugin: Access restriction to search results

Purpose

Use this plugin if you need to restrict the access to your search results.

This plugin allows you to specify a HTTP header and token value that must be included with a search request for results to be returned.

This provides a token-based alternative for restricting access to search results.

Error response

If the token from the request header does not match the header and token as specified in the configuration, a 401 (Unauthorized) response will be returned.

When to use this plugin

When embedding the search in another system

Because this plugin controls access via a configured token that must be provided via HTTP headers each time a search request is made, this is most useful when you embed the search in another system.

In this case the other system calls the search on the user’s behalf and can add in the additional headers when the request is made.

For example, if you call the search from Squiz Matrix using a REST asset, the asset can be configured to provide the token along with every request that is made to Funnelback.

Usage

Enable the plugin

  1. Select Plugins from the side navigation pane and click on the Access restriction to search results tile.

  2. From the Location section, select the results page to which you would like to enable this plugin from the Select a results page select list.

The plugin will take effect as soon as you finish running through the plugin setup steps.

Configuration settings

The configuration settings section is where you do most of the configuration for your plugin. The settings enable you to control how the plugin behaves.

The configuration key names below are only used if you are configuring this plugin manually. The configuration keys are set in the results page configuration to configure the plugin. When setting the keys manually you need to type in (or copy and paste) the key name and value.

Header name

Configuration key

plugin.access-restriction-token.config.header

Data type

string

Required

This setting is required

Specifies the HTTP header name containing the security token

Security token

Configuration key

plugin.access-restriction-token.encrypted.token

Data type

Encrypted string

Required

This setting is required

The value of the security token that must be provided as the value of the configured HTTP header when making the request.

The user will only be granted access to view the search results if the header name and token are supplied when making the query.

Allow unrestricted access for click tracking

Configuration key

plugin.access-restriction-token.config.allowUnrestrictedClickTracking

Data type

boolean

Default value

false

Required

This setting is optional

This determines if the click tracking endpoint (/s/redirect) requires the token to be passed in the headers. This should be set to false if you are not proxying click tracking via your CMS.

Under normal usage you should not need to secure the /s/redirect endpoint as it’s sole purpose is to log the click then redirect the user to the actual result URL, which will be protected by any CMS security.

Allow unrestricted access for auto-completion

Configuration key

plugin.access-restriction-token.config.allowUnrestrictedAutoCompletion

Data type

boolean

Default value

false

Required

This setting is optional

This determines if the auto-completion endpoint (/s/suggest.json) requires the token to be passed in the headers. This should be set to false if you wish to use auto-completion with your search. NOTE: before allowing unrestricted access, you should consider if the risk of exposing any information as auto-completion suggestions is acceptable. If the risk is unacceptable then auto-completion should not be used for the search.

Examples

This example shows how to configure the plugin to restrict access to a set of search results unless you provide the following in you HTTP headers when making your search request:

HTTP header Value

X-FUNNELBACK-ACCESS-RESTRICTION

funnelbackSecretToken

To achieve this, the plugin must be configured with the settings:

Plugin setting Value

Header name

X-FUNNELBACK-ACCESS-RESTRICTION

Security token

funnelbackSecretToken

The token you enter (funnelbackSecretToken in the above example) is automatically encrypted when you save the value. If you view the configuration via the results page configuration key editor or raw editor you will see a value like ENCRYPTED:AQX7ZRgj4x0xVpOSA4kWIN9UR2tUFjnI8GMK6FfW6 which corresponds to the value you entered. e.g.

profile.cfg
plugin.access-restriction-token-plugin.config.header=X-FUNNELBACK-ACCESS-RESTRICTION
plugin.access-restriction-token-plugin.encrypted.token=ENCRYPTED:AQX7ZRgj4x0xVpOSA4kWIN9UR2tUFjnI8GMK6FfW6+kI/LyL9wRAX+gmVK6qqkGPKrKpRqU7

If you wish to use auto-completion or click tracking with your search you should also set the following in your plugin configuration:

Plugin setting Value

Allow unrestricted access for auto-completion

false

Allow unrestricted access for click tracking

false

Allowing unrestricted access to these endpoints means that you can directly access these without requiring the token.

Before enabling for auto-completion you should consider if there is an acceptable risk for any information that might be leaked in the auto-completion suggestions.

For click tracking there isn’t really any risk because unrestricted access to the endpoint will only log a click then redirect the user to the URL for the result, which is still protected by your CMS.

Change log

[1.3.0]

Added

  • Added support for allowing unrestricted access to the auto-completion and click tracking endpoints.

[1.2.0]

Fixed

  • Fixed plugin ID to match plugin directory name.

[1.1.0]

Changed

  • Updated to the latest version plugin framework (Funnelback shared v16.20) to enable integration with the new plugin management dashboard.

See also

  • Plugins

  • build/results-pages/search-result-security/index.adoc[]