Critical Update: Safer Conditional Pipeline Routing

This critical update was introduced in the October 21, 2020 platform update and was applied to all Coveo organizations on January 7, 2021.

When an organization has multiple query pipelines, we recommend using the searchHub-based conditional routing strategy.

In this scenario, the search token contains a searchHub parameter, and each query pipeline except the default one has a distinct condition based on a specific searchHub value (e.g., Search Hub is Community Search, Search Hub is Agent Panel, etc.). Thus, search requests are routed according to the search interface from which they originate.

Prior to this critical update, it was possible to bypass this whole routing mechanism by setting the pipeline query parameter directly in the search request.

What Did This Update Cause?

When a search request is authenticated with a search token that enforces a searchHub value, if the target organization contains a query pipeline whose condition is based on that same searchHub value, the search request is now be routed to that pipeline, even if the pipeline parameter is set to another pipeline in the search request.

In other words, it’s no longer be possible to override a well-implemented searchHub-based conditional pipeline routing strategy by passing a pipeline parameter in the search request.

What Must I Do to Comply With This Update?

In the majority of cases, this critical update causes no issues.

Still, we recommend that you do the following validations:

Step 1: Search for Pipelines With searchHub-Based Conditions

You should validate if any pipelines in your organization have a condition based on a searchHub value. If that’s not the case, this critical update won’t cause any issues in your solution.

  1. In the administration console, select Search > Query pipeline.
  2. In the table, search for query pipelines that have a searchHub-based condition (e.g., Search Hub is MySearchHub).

Step 2: Validate Your Public Search Interfaces

If you have found at least one query pipeline with a searchHub-based condition in the previous step, you should validate if any of your public Coveo-powered search interfaces are setting the pipeline query parameter.

Here is a non-exhaustive list of potential search interfaces in a typical Coveo-powered solution:

  • Standalone search boxes
  • Search pages
  • Recommendation interfaces
  • Case deflection panels
  • Insight panels
  • Listing pages
  • Chatbots

If you’re using Coveo Cloud hosted search pages, you don’t have to test those.

To test whether a given search interface is setting the pipeline query parameter:

  1. In your browser, open your developer tools and select the Network tab.

  2. Access the search interface you want to test.

  3. Trigger a search request from the search interface. If the search interface has an input that can provide query suggestions (e.g., a search box), you should test both query and query suggestion requests.

  4. In your browser tools, search for a POST request made against a Coveo search endpoint (e.g., you can use a filter such as cloud.coveo.com/rest/search).

  5. Look for the pipeline parameter in the request URL (e.g., https://platform.cloud.coveo.com/rest/search/v2?pipeline=MyPipeline) and in its form data (e.g., pipeline: MyPipeline).

If the search interface is setting the pipeline parameter in its request URL, form data, or both, you must then validate if the search interface is authenticating its requests with a search token, and if so, whether that search token is setting the searchHub.

  1. In the request headers, search for the Authorization header.

  2. If the token has the following form: xx********-****-****-****-************, the search interface isn’t using search token authentication and won’t be causing any issues. You can test another search interface in your solution.

  3. Otherwise, copy the entire token to your clipboard, access the jwt.io web site, and paste the token in the Encoded box.

  4. In the decoded payload, search for the pipeline and searchHub parameters.

If the pipeline parameter is in the search token, the search page won’t cause any issues. You can test another search interface in your solution.

However, if the pipeline parameter isn’t set, and the searchHub parameter is in the token, you must validate if any query pipeline in your organization has a condition based on that searchHub value. If that’s the case, after applying the critical update, search requests sent from that search interface will be routed to that query pipeline instead of the one specified by the pipeline parameter enforced through the search interface. This may change the behavior of your search interface in an undesired way, so you should make the necessary adjustments. You can make those adjustments on your own, and contact Coveo Support for guidance.

Recommended Articles