GitBook
Gitbook API endpoint security #298
-
|
I've realized that the AI search endpoint https://api.gitbook.com/v1/spaces/{spaceId}/search/ask returns factual responses even without any authentication. Anyone that gets hold of the space id will be able to search through the information. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Hi @binathperera 👋 This API endpoint should be properly secured and only return an answer if you can access the space (space is public or your request is authenticated as a user who can access the space). Can you reach out to our support (support @ gitbook.com) with the space IDs / API tokens you are using to reproduce the potential security issue? Note that if the space is published publicly, then the endpoint can be used without authentication (like anyone loading the published webpage can use Lens from the UI). |
Beta Was this translation helpful? Give feedback.
-
|
Hi @SamyPesse The space is set to private. Occasionally it returns a "Permission denied to access this resource". Other than that it responds with an answer. I'm confused. I would appreciate it if you could take a look into this matter. Will drop an email to [email protected] as well Thanks. |
Beta Was this translation helpful? Give feedback.
-
|
We'll take a look at soon as possible! Please share the space Id and potentially request dumps to help us debug (for example if you have access to the response headers). |
Beta Was this translation helpful? Give feedback.
-
|
@binathperera We fixed a cache issue that might be the origin of the problem. Can you try again and let us know if it's still happening? |
Beta Was this translation helpful? Give feedback.
-
|
@SamyPesse I've checked it now and there are no issues with the responses. Thanks for looking into it :) |
Beta Was this translation helpful? Give feedback.
@binathperera We fixed a cache issue that might be the origin of the problem. Can you try again and let us know if it's still happening?