feat(web): add Metaso as a web search provider (metaso.cn)#2059
feat(web): add Metaso as a web search provider (metaso.cn)#2059mrluanma wants to merge 1 commit into
Conversation
Adds Metaso AI Search as a new SearchProvider option alongside Bing, DuckDuckGo, Tavily, and Bocha.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds Metaso as a new web search provider, implementing the necessary API integration, configuration options, and documentation. The feedback focuses on the security risk of including a hardcoded default API key, the need for a more generic API key placeholder in the example configuration to avoid provider-specific confusion, and a suggestion to define the full search endpoint as a constant to improve runtime efficiency.
| /// Intentionally public default key provided by Metaso for open-source/community use. | ||
| /// Last-resort fallback after config and env var. Rate-limited to ~100 searches/day. | ||
| const METASO_DEFAULT_API_KEY: &str = "mk-E384C1DD5E8501BB7EFE27C949AFDE5B"; |
There was a problem hiding this comment.
Hardcoding API keys, even public ones with rate limits, poses a security risk. This key can be easily extracted and abused by malicious actors, potentially leading to the exhaustion of the daily quota for all users of this application (a form of denial-of-service). If the key is revoked by Metaso, this functionality will break for everyone relying on the default.
A safer approach would be to require users to provide their own key, even if it's free. This would be consistent with how other providers like Tavily and Bocha are handled.
| # api_key = "tvly-YOUR_KEY" # required for tavily and bocha | ||
| # # metaso: https://metaso.cn — 秘塔AI搜索,每天 100 次免费 | ||
| # # 设置 METASO_API_KEY 或 [search] api_key 可提升额度 | ||
| # api_key = "tvly-YOUR_KEY" # required for tavily, bocha, and metaso (optional for metaso) |
There was a problem hiding this comment.
The example API key tvly-YOUR_KEY is specific to Tavily. To avoid confusion for users configuring other providers like Bocha or Metaso, it would be better to use a generic placeholder like YOUR_KEY. This would also make it consistent with the change in docs/CONFIGURATION.md.
# api_key = "YOUR_KEY" # required for tavily, bocha, and metaso (optional for metaso)
| const BING_HOST: &str = "www.bing.com"; | ||
| const TAVILY_ENDPOINT: &str = "https://api.tavily.com/search"; | ||
| const BOCHA_ENDPOINT: &str = "https://api.bochaai.com/v1/ai/search"; | ||
| const METASO_ENDPOINT: &str = "https://metaso.cn/api/v1"; |
There was a problem hiding this comment.
To avoid runtime string formatting, it's more efficient to define the full search endpoint URL as a constant. You'll need to update its usage in run_metaso_search from format!("{METASO_ENDPOINT}/search") to just METASO_ENDPOINT.
const METASO_ENDPOINT: &str = "https://metaso.cn/api/v1/search";1 participant
Summary
Adds Metaso AI Search as a new SearchProvider option alongside Bing, DuckDuckGo, Tavily, and Bocha.
Testing
cargo test --all-featurescargo fmt --all -- --checkcargo clippy --all-targets --all-featuresChecklist