Safely Set the Search Hub Value

If you need to safely set the search hub value in your Quantic search interface, enforce it in search tokens generated server-side. You may need to do so to apply content filtering, for example.

In most Quantic implementations, you will have installed and configured the Coveo for Salesforce package, and you will have used it to implement your search token provider. If that’s the case, enforcing a target search hub requires minimal configuration of this search token provider. Hardcode the target search hub when calling the generateSearchToken function:

global with sharing class CoveoTokenProvider implements ITokenProvider {
  @AuraEnabled(continuation=true cacheable=false)
  global static String getHeadlessConfiguration() {
    Map<String, Object> coveoEndpointData = CoveoV2.Globals.getEndpointData();
    String searchToken = CoveoV2.Globals.generateSearchToken(new Map<String, Object> {
      'searchHub' => '<TARGET_VALUE>'
    });
 
    Map<String, String> headlessConfiguration = new Map<String, String>();
    headlessConfiguration.put('organizationId', (String) coveoEndpointData.get('organization'));
    headlessConfiguration.put('accessToken', searchToken);
    headlessConfiguration.put('platformUrl', (String) coveoEndpointData.get('clientUri'));
    return JSON.serialize(headlessConfiguration);
  }
}

Where you replace <TARGET_VALUE> by the target search hub value.

Warning

The reason why it’s important to hardcode the target search hub value in your backend function (e.g., getHeadlessConfiguration()) is that you don’t want its output to depend on a parameter (e.g., getHeadlessConfiguration(hub)), because malicious users could leverage that parameter to modify the search hub value set in their token, potentially causing security issues.

If you have not installed the Coveo for Salesforce package, or you have decided to implement your own custom token provider for some other reason, we can’t make precise recommendations about what to do, but be sure not to expose an argument that would allow users to modify the search hub value set in the token.

Note

In a Quantic search interface, while search tokens can enforce a search hub in search requests, you should also set your QuanticSearchInterface component searchHub parameter to the target search hub value, as this is the parameter used to log usage analytics data.

<c-quantic-search-interface engine-id={engineId} search-hub="<TARGET_VALUE>"></c-quantic-search-interface>

Where you replace <TARGET_VALUE> by the target search hub value.

What's next for me?