Search streaming API should not be exposed under two separate routes, should not be exposed under UI router
Created by: slimsag
This search shows me that the search streaming API is registered in three places:
-
sourcegraph.com/search/streamunderapp/ui/router.go(this does not make sense) -
sourcegraph.com/.api/search/streamunderhttpapi/router/router.go(this is good) - The internal HTTP API under
httpapi/router/router.go(this is good)
We should:
- Ensure no clients are using
/search/stream, update them to use/.api/search/streaminstead. - Remove this route entry entirely: https://sourcegraph.com/github.com/sourcegraph/sourcegraph@276bd3513b286c29d127fbd11ede8735e5c3ab00/-/blob/cmd/frontend/internal/app/ui/router.go?L137
Why:
- It's confusing, and these routes will have different behavior: because
/search/streamis a UI route, all cross-origin requests to it will be denied outright - whereas the/.api/search/streamone is an API route which allows it to be used from other domains, used with access tokens, etc. - It's weird to expose an API under the UI router - it doesn't match our security model and could confuse others when trying to reason about the security model (but there is no imminent danger here)