Search API requires authentication, preventing frontend search

[jdevalk]

Description

The /_emdash/api/search endpoint requires search:read permission, which means unauthenticated visitors cannot use the LiveSearch component on the frontend.

Root cause

In astro/routes/api/search/index.ts:

const denied = requirePerm(user, "search:read");
if (denied) return denied;

This returns 401 for any unauthenticated request. The same applies to /_emdash/api/search/suggest.

Impact

The LiveSearch component (which hardcodes /_emdash/api/search as its endpoint) doesn't work for public visitors. Search is a common frontend feature that should work without authentication.

Workaround

Create a custom public API route that calls the search() function directly:

// src/pages/api/search.ts
import type { APIRoute } from "astro";
import { search } from "emdash";

export const prerender = false;

export const GET: APIRoute = async ({ url }) => {
  const q = url.searchParams.get("q")?.trim();
  if (!q || q.length < 2) {
    return new Response(JSON.stringify({ data: { items: [] } }), {
      headers: { "Content-Type": "application/json" },
    });
  }

  const result = await search(q, {
    collections: url.searchParams.get("collections")?.split(","),
    status: "published",
    limit: Math.min(Number(url.searchParams.get("limit")) || 10, 20),
  });

  return new Response(JSON.stringify({ data: result }), {
    headers: { "Content-Type": "application/json" },
  });
};

This requires building a custom search UI since LiveSearch hardcodes the emdash API endpoint.

Suggested fix

Either:

1. Make /_emdash/api/search publicly accessible (with status: "published" enforced for unauthenticated users), or
2. Add a configurable endpoint prop to LiveSearch so themes can point it at a custom route, or
3. Add search to the public API prefixes list with appropriate rate limiting

[mvanhorn]

Implemented in #107 - removed the requirePerm check from both search endpoints. Safe because query layer defaults to published-only content.

[csfalcao]

Hey @mvanhorn — I reproduced this on today's main (commit 59bdca1, 2026-04-09) and the 401 still fires. PR #107 removed the requirePerm() check inside the route handlers, but the auth middleware blocks the request before the handler ever runs, so the handler-level changes don't execute for unauthenticated users.

Repro against a fresh clone + pnpm --filter emdash-demo dev:

$ curl "http://localhost:4321/_emdash/api/search?q=design"
{"error":{"code":"NOT_AUTHENTICATED","message":"Not authenticated"}}
HTTP 401

The 401 comes from handlePasskeyAuth in packages/core/src/astro/middleware/auth.ts (~line 587) because /_emdash/api/search isn't in the PUBLIC_API_PREFIXES allow-list or the PUBLIC_API_EXACT set. By the time the request reaches the route handler, the middleware has already returned.

The LiveSearch.astro component (shipped for public-site use per its JSDoc) fetches this endpoint without credentials and silently shows "No results found" on 401, which is why this wasn't caught — the failure is invisible in the UI.

There's also a passing E2E test at e2e/tests/search.spec.ts:189 that currently asserts the 401 as correct behavior, which would need to flip.

Happy to submit a follow-up PR adding /_emdash/api/search and /_emdash/api/search/suggest to PUBLIC_API_EXACT (keeping /enable, /rebuild, /stats admin-only), and updating that test. Should I reopen this issue or file a new one?