Move crates under a sub folder to clean up the code

2025-07-03 03:47:02 +02:00 · 2024-10-21 08:18:43 +02:00 · 2024-10-21 08:18:43 +02:00 · 9c1e54a2c8
commit 9c1e54a2c8
parent 30f3c30389
1062 changed files with 19 additions and 20 deletions
--- a/crates/meilisearch/tests/auth/api_keys.rs
+++ b/crates/meilisearch/tests/auth/api_keys.rs
--- a/crates/meilisearch/tests/auth/authorization.rs
+++ b/crates/meilisearch/tests/auth/authorization.rs
--- a/crates/meilisearch/tests/auth/errors.rs
+++ b/crates/meilisearch/tests/auth/errors.rs
@ -0,0 +1,700 @@
+use actix_web::http::StatusCode;
+use actix_web::test;
+use jsonwebtoken::{EncodingKey, Header};
+use meili_snap::*;
+use uuid::Uuid;
+
+use crate::common::{Server, Value};
+use crate::json;
+
+#[actix_rt::test]
+async fn create_api_key_bad_description() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.add_api_key(json!({ "description": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.description`: expected a string, but found an array: `[\"doggo\"]`",
+      "code": "invalid_api_key_description",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_description"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_bad_name() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.add_api_key(json!({ "name": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.name`: expected a string, but found an array: `[\"doggo\"]`",
+      "code": "invalid_api_key_name",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_name"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_bad_uid() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    // bad type
+    let (response, code) = server.add_api_key(json!({ "uid": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.uid`: expected a string, but found an array: `[\"doggo\"]`",
+      "code": "invalid_api_key_uid",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_uid"
+    }
+    "###);
+
+    // can't parse
+    let (response, code) = server.add_api_key(json!({ "uid": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value at `.uid`: invalid character: expected an optional prefix of `urn:uuid:` followed by [0-9a-fA-F-], found `o` at 2",
+      "code": "invalid_api_key_uid",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_uid"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_bad_actions() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    // bad type
+    let (response, code) = server.add_api_key(json!({ "actions": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.actions`: expected an array, but found a string: `\"doggo\"`",
+      "code": "invalid_api_key_actions",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_actions"
+    }
+    "###);
+
+    // can't parse
+    let (response, code) = server.add_api_key(json!({ "actions": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Unknown value `doggo` at `.actions[0]`: expected one of `*`, `search`, `documents.*`, `documents.add`, `documents.get`, `documents.delete`, `indexes.*`, `indexes.create`, `indexes.get`, `indexes.update`, `indexes.delete`, `indexes.swap`, `tasks.*`, `tasks.cancel`, `tasks.delete`, `tasks.get`, `settings.*`, `settings.get`, `settings.update`, `stats.*`, `stats.get`, `metrics.*`, `metrics.get`, `dumps.*`, `dumps.create`, `snapshots.*`, `snapshots.create`, `version`, `keys.create`, `keys.get`, `keys.update`, `keys.delete`, `experimental.get`, `experimental.update`",
+      "code": "invalid_api_key_actions",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_actions"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_bad_indexes() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    // bad type
+    let (response, code) = server.add_api_key(json!({ "indexes": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.indexes`: expected an array, but found a string: `\"doggo\"`",
+      "code": "invalid_api_key_indexes",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_indexes"
+    }
+    "###);
+
+    // can't parse
+    let (response, code) = server.add_api_key(json!({ "indexes": ["good doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value at `.indexes[0]`: `good doggo` is not a valid index uid pattern. Index uid patterns can be an integer or a string containing only alphanumeric characters, hyphens (-), underscores (_), and optionally end with a star (*).",
+      "code": "invalid_api_key_indexes",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_indexes"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_bad_expires_at() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    // bad type
+    let (response, code) = server.add_api_key(json!({ "expires_at": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Unknown field `expires_at`: did you mean `expiresAt`? expected one of `description`, `name`, `uid`, `actions`, `indexes`, `expiresAt`",
+      "code": "bad_request",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#bad_request"
+    }
+    "###);
+
+    // can't parse
+    let (response, code) = server.add_api_key(json!({ "expires_at": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Unknown field `expires_at`: did you mean `expiresAt`? expected one of `description`, `name`, `uid`, `actions`, `indexes`, `expiresAt`",
+      "code": "bad_request",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#bad_request"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_missing_action() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) =
+        server.add_api_key(json!({ "indexes": ["doggo"], "expiresAt": null })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Missing field `actions`",
+      "code": "missing_api_key_actions",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#missing_api_key_actions"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_missing_indexes() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server
+        .add_api_key(json!({ "uid": Uuid::nil() , "actions": ["*"], "expiresAt": null }))
+        .await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Missing field `indexes`",
+      "code": "missing_api_key_indexes",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#missing_api_key_indexes"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_missing_expires_at() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server
+        .add_api_key(json!({ "uid": Uuid::nil(), "actions": ["*"], "indexes": ["doggo"] }))
+        .await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Missing field `expiresAt`",
+      "code": "missing_api_key_expires_at",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#missing_api_key_expires_at"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn create_api_key_unexpected_field() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server
+        .add_api_key(json!({ "uid": Uuid::nil(), "actions": ["*"], "indexes": ["doggo"], "expiresAt": null, "doggo": "bork" }))
+        .await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Unknown field `doggo`: expected one of `description`, `name`, `uid`, `actions`, `indexes`, `expiresAt`",
+      "code": "bad_request",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#bad_request"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn list_api_keys_bad_offset() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.list_api_keys("?offset=doggo").await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value in parameter `offset`: could not parse `doggo` as a positive integer",
+      "code": "invalid_api_key_offset",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_offset"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn list_api_keys_bad_limit() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.list_api_keys("?limit=doggo").await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value in parameter `limit`: could not parse `doggo` as a positive integer",
+      "code": "invalid_api_key_limit",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_limit"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn list_api_keys_unexpected_field() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.list_api_keys("?doggo=no_limit").await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Unknown parameter `doggo`: expected one of `offset`, `limit`",
+      "code": "bad_request",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#bad_request"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_bad_description() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "description": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.description`: expected a string, but found an array: `[\"doggo\"]`",
+      "code": "invalid_api_key_description",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_description"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_bad_name() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "name": ["doggo"] })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Invalid value type at `.name`: expected a string, but found an array: `[\"doggo\"]`",
+      "code": "invalid_api_key_name",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key_name"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_immutable_uid() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "uid": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Immutable field `uid`: expected one of `description`, `name`",
+      "code": "immutable_api_key_uid",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#immutable_api_key_uid"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_immutable_actions() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "actions": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Immutable field `actions`: expected one of `description`, `name`",
+      "code": "immutable_api_key_actions",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#immutable_api_key_actions"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_immutable_indexes() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "indexes": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Immutable field `indexes`: expected one of `description`, `name`",
+      "code": "immutable_api_key_indexes",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#immutable_api_key_indexes"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_immutable_expires_at() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "expiresAt": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Immutable field `expiresAt`: expected one of `description`, `name`",
+      "code": "immutable_api_key_expires_at",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#immutable_api_key_expires_at"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_immutable_created_at() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "createdAt": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Immutable field `createdAt`: expected one of `description`, `name`",
+      "code": "immutable_api_key_created_at",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#immutable_api_key_created_at"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_immutable_updated_at() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "updatedAt": "doggo" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Immutable field `updatedAt`: expected one of `description`, `name`",
+      "code": "immutable_api_key_updated_at",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#immutable_api_key_updated_at"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn patch_api_keys_unknown_field() {
+    let mut server = Server::new_auth().await;
+    server.use_admin_key("MASTER_KEY").await;
+
+    let (response, code) = server.patch_api_key("doggo", json!({ "doggo": "bork" })).await;
+    snapshot!(code, @"400 Bad Request");
+    snapshot!(json_string!(response), @r###"
+    {
+      "message": "Unknown field `doggo`: expected one of `description`, `name`",
+      "code": "bad_request",
+      "type": "invalid_request",
+      "link": "https://docs.meilisearch.com/errors#bad_request"
+    }
+    "###);
+}
+
+async fn send_request_with_custom_auth(
+    app: impl actix_web::dev::Service<
+        actix_http::Request,
+        Response = actix_web::dev::ServiceResponse<impl actix_web::body::MessageBody>,
+        Error = actix_web::Error,
+    >,
+    url: &str,
+    auth: &str,
+) -> (Value, StatusCode) {
+    let req = test::TestRequest::get().uri(url).insert_header(("Authorization", auth)).to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+
+    (response, status_code)
+}
+
+#[actix_rt::test]
+async fn invalid_auth_format() {
+    let server = Server::new_auth().await;
+    let app = server.init_web_app().await;
+
+    let req = test::TestRequest::get().uri("/indexes/dog/documents").to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    snapshot!(status_code, @"401 Unauthorized");
+    snapshot!(response, @r###"
+    {
+      "message": "The Authorization header is missing. It must use the bearer authorization method.",
+      "code": "missing_authorization_header",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#missing_authorization_header"
+    }
+    "###);
+
+    let req = test::TestRequest::get().uri("/indexes/dog/documents").to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    snapshot!(status_code, @"401 Unauthorized");
+    snapshot!(response, @r###"
+    {
+      "message": "The Authorization header is missing. It must use the bearer authorization method.",
+      "code": "missing_authorization_header",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#missing_authorization_header"
+    }
+    "###);
+
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/documents", "Bearer").await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "The provided API key is invalid.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn invalid_api_key() {
+    let server = Server::new_auth().await;
+    let app = server.init_web_app().await;
+
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/search", "Bearer kefir").await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "The provided API key is invalid.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+
+    let uuid = Uuid::nil();
+    let key = json!({ "actions": ["search"], "indexes": ["dog"], "expiresAt": null, "uid": uuid.to_string() });
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .set_json(&key)
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    snapshot!(json_string!(response, { ".createdAt" => "[date]",  ".updatedAt" => "[date]" }), @r###"
+    {
+      "name": null,
+      "description": null,
+      "key": "aeb94973e0b6e912d94165430bbe87dee91a7c4f891ce19050c3910ec96977e9",
+      "uid": "00000000-0000-0000-0000-000000000000",
+      "actions": [
+        "search"
+      ],
+      "indexes": [
+        "dog"
+      ],
+      "expiresAt": null,
+      "createdAt": "[date]",
+      "updatedAt": "[date]"
+    }
+    "###);
+    let key = response["key"].as_str().unwrap();
+
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/doggo/search", &format!("Bearer {key}"))
+            .await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "The API key cannot acces the index `doggo`, authorized indexes are [\"dog\"].",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+}
+
+#[actix_rt::test]
+async fn invalid_tenant_token() {
+    let server = Server::new_auth().await;
+    let app = server.init_web_app().await;
+
+    // The tenant token won't be recognized at all if we're not on a search route
+    let claims = json!({ "tamo": "kefir" });
+    let jwt = jsonwebtoken::encode(&Header::default(), &claims, &EncodingKey::from_secret(b"tamo"))
+        .unwrap();
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/documents", &format!("Bearer {jwt}"))
+            .await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "The provided API key is invalid.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+
+    let claims = json!({ "tamo": "kefir" });
+    let jwt = jsonwebtoken::encode(&Header::default(), &claims, &EncodingKey::from_secret(b"tamo"))
+        .unwrap();
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/search", &format!("Bearer {jwt}")).await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "Could not decode tenant token, JSON error: missing field `searchRules` at line 1 column 16.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+
+    // The error messages are not ideal but that's expected since we cannot _yet_ use deserr
+    let claims = json!({ "searchRules": "kefir" });
+    let jwt = jsonwebtoken::encode(&Header::default(), &claims, &EncodingKey::from_secret(b"tamo"))
+        .unwrap();
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/search", &format!("Bearer {jwt}")).await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "Could not decode tenant token, JSON error: data did not match any variant of untagged enum SearchRules at line 1 column 23.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+
+    let uuid = Uuid::nil();
+    let claims = json!({ "searchRules": ["kefir"], "apiKeyUid": uuid.to_string() });
+    let jwt = jsonwebtoken::encode(&Header::default(), &claims, &EncodingKey::from_secret(b"tamo"))
+        .unwrap();
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/search", &format!("Bearer {jwt}")).await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "Could not decode tenant token, InvalidSignature.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+
+    // ~~ For the next tests we first need a valid API key
+    let key = json!({ "actions": ["search"], "indexes": ["dog"], "expiresAt": null, "uid": uuid.to_string() });
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .set_json(&key)
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    snapshot!(json_string!(response, { ".createdAt" => "[date]",  ".updatedAt" => "[date]" }), @r###"
+    {
+      "name": null,
+      "description": null,
+      "key": "aeb94973e0b6e912d94165430bbe87dee91a7c4f891ce19050c3910ec96977e9",
+      "uid": "00000000-0000-0000-0000-000000000000",
+      "actions": [
+        "search"
+      ],
+      "indexes": [
+        "dog"
+      ],
+      "expiresAt": null,
+      "createdAt": "[date]",
+      "updatedAt": "[date]"
+    }
+    "###);
+    let key = response["key"].as_str().unwrap();
+
+    let claims = json!({ "searchRules": ["doggo", "catto"], "apiKeyUid": uuid.to_string() });
+    let jwt = jsonwebtoken::encode(
+        &Header::default(),
+        &claims,
+        &EncodingKey::from_secret(key.as_bytes()),
+    )
+    .unwrap();
+    // Try to access an index that is not authorized by the tenant token
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/dog/search", &format!("Bearer {jwt}")).await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "The provided tenant token cannot acces the index `dog`, allowed indexes are [\"catto\", \"doggo\"].",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+
+    // Try to access an index that *is* authorized by the tenant token but not by the api key used to generate the tt
+    let (response, status_code) =
+        send_request_with_custom_auth(&app, "/indexes/doggo/search", &format!("Bearer {jwt}"))
+            .await;
+    snapshot!(status_code, @"403 Forbidden");
+    snapshot!(response, @r###"
+    {
+      "message": "The API key used to generate this tenant token cannot acces the index `doggo`.",
+      "code": "invalid_api_key",
+      "type": "auth",
+      "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    }
+    "###);
+}
--- a/crates/meilisearch/tests/auth/mod.rs
+++ b/crates/meilisearch/tests/auth/mod.rs
@ -0,0 +1,7 @@
+mod api_keys;
+mod authorization;
+mod errors;
+mod payload;
+mod tenant_token;
+
+mod tenant_token_multi_search;
--- a/crates/meilisearch/tests/auth/payload.rs
+++ b/crates/meilisearch/tests/auth/payload.rs
@ -0,0 +1,275 @@
+use actix_web::test;
+use serde_json::{json, Value};
+
+use crate::common::Server;
+
+#[actix_rt::test]
+async fn error_api_key_bad_content_types() {
+    let content = json!({
+        "indexes": ["products"],
+        "actions": [
+            "documents.add"
+        ],
+        "expiresAt": "2050-11-13T00:00:00Z"
+    });
+
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+    let app = server.init_web_app().await;
+
+    // post
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .set_payload(content.to_string())
+        .insert_header(("content-type", "text/plain"))
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 415);
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"The Content-Type `text/plain` is invalid. Accepted values for the Content-Type header are: `application/json`"#
+        )
+    );
+    assert_eq!(response["code"], "invalid_content_type");
+    assert_eq!(response["type"], "invalid_request");
+    assert_eq!(response["link"], "https://docs.meilisearch.com/errors#invalid_content_type");
+
+    // patch
+    let req = test::TestRequest::patch()
+        .uri("/keys/d0552b41536279a0ad88bd595327b96f01176a60c2243e906c52ac02375f9bc4")
+        .set_payload(content.to_string())
+        .insert_header(("content-type", "text/plain"))
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 415);
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"The Content-Type `text/plain` is invalid. Accepted values for the Content-Type header are: `application/json`"#
+        )
+    );
+    assert_eq!(response["code"], "invalid_content_type");
+    assert_eq!(response["type"], "invalid_request");
+    assert_eq!(response["link"], "https://docs.meilisearch.com/errors#invalid_content_type");
+}
+
+#[actix_rt::test]
+async fn error_api_key_empty_content_types() {
+    let content = json!({
+        "indexes": ["products"],
+        "actions": [
+            "documents.add"
+        ],
+        "expiresAt": "2050-11-13T00:00:00Z"
+    });
+
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+    let app = server.init_web_app().await;
+
+    // post
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .set_payload(content.to_string())
+        .insert_header(("content-type", ""))
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 415);
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"The Content-Type `` is invalid. Accepted values for the Content-Type header are: `application/json`"#
+        )
+    );
+    assert_eq!(response["code"], "invalid_content_type");
+    assert_eq!(response["type"], "invalid_request");
+    assert_eq!(response["link"], "https://docs.meilisearch.com/errors#invalid_content_type");
+
+    // patch
+    let req = test::TestRequest::patch()
+        .uri("/keys/d0552b41536279a0ad88bd595327b96f01176a60c2243e906c52ac02375f9bc4")
+        .set_payload(content.to_string())
+        .insert_header(("content-type", ""))
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 415);
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"The Content-Type `` is invalid. Accepted values for the Content-Type header are: `application/json`"#
+        )
+    );
+    assert_eq!(response["code"], "invalid_content_type");
+    assert_eq!(response["type"], "invalid_request");
+    assert_eq!(response["link"], "https://docs.meilisearch.com/errors#invalid_content_type");
+}
+
+#[actix_rt::test]
+async fn error_api_key_missing_content_types() {
+    let content = json!({
+        "indexes": ["products"],
+        "actions": [
+            "documents.add"
+        ],
+        "expiresAt": "2050-11-13T00:00:00Z"
+    });
+
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+    let app = server.init_web_app().await;
+
+    // post
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .set_payload(content.to_string())
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 415);
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"A Content-Type header is missing. Accepted values for the Content-Type header are: `application/json`"#
+        )
+    );
+    assert_eq!(response["code"], "missing_content_type");
+    assert_eq!(response["type"], "invalid_request");
+    assert_eq!(response["link"], "https://docs.meilisearch.com/errors#missing_content_type");
+
+    // patch
+    let req = test::TestRequest::patch()
+        .uri("/keys/d0552b41536279a0ad88bd595327b96f01176a60c2243e906c52ac02375f9bc4")
+        .set_payload(content.to_string())
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 415);
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"A Content-Type header is missing. Accepted values for the Content-Type header are: `application/json`"#
+        )
+    );
+    assert_eq!(response["code"], "missing_content_type");
+    assert_eq!(response["type"], "invalid_request");
+    assert_eq!(response["link"], "https://docs.meilisearch.com/errors#missing_content_type");
+}
+
+#[actix_rt::test]
+async fn error_api_key_empty_payload() {
+    let content = "";
+
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+    let app = server.init_web_app().await;
+
+    // post
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .set_payload(content)
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .insert_header(("content-type", "application/json"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 400);
+    assert_eq!(response["code"], json!("missing_payload"));
+    assert_eq!(response["type"], json!("invalid_request"));
+    assert_eq!(response["link"], json!("https://docs.meilisearch.com/errors#missing_payload"));
+    assert_eq!(response["message"], json!(r#"A json payload is missing."#));
+
+    // patch
+    let req = test::TestRequest::patch()
+        .uri("/keys/d0552b41536279a0ad88bd595327b96f01176a60c2243e906c52ac02375f9bc4")
+        .set_payload(content)
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .insert_header(("content-type", "application/json"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 400);
+    assert_eq!(response["code"], json!("missing_payload"));
+    assert_eq!(response["type"], json!("invalid_request"));
+    assert_eq!(response["link"], json!("https://docs.meilisearch.com/errors#missing_payload"));
+    assert_eq!(response["message"], json!(r#"A json payload is missing."#));
+}
+
+#[actix_rt::test]
+async fn error_api_key_malformed_payload() {
+    let content = r#"{"malormed": "payload""#;
+
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+    let app = server.init_web_app().await;
+
+    // post
+    let req = test::TestRequest::post()
+        .uri("/keys")
+        .set_payload(content)
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .insert_header(("content-type", "application/json"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 400);
+    assert_eq!(response["code"], json!("malformed_payload"));
+    assert_eq!(response["type"], json!("invalid_request"));
+    assert_eq!(response["link"], json!("https://docs.meilisearch.com/errors#malformed_payload"));
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"The json payload provided is malformed. `EOF while parsing an object at line 1 column 22`."#
+        )
+    );
+
+    // patch
+    let req = test::TestRequest::patch()
+        .uri("/keys/d0552b41536279a0ad88bd595327b96f01176a60c2243e906c52ac02375f9bc4")
+        .set_payload(content)
+        .insert_header(("Authorization", "Bearer MASTER_KEY"))
+        .insert_header(("content-type", "application/json"))
+        .to_request();
+    let res = test::call_service(&app, req).await;
+    let status_code = res.status();
+    let body = test::read_body(res).await;
+    let response: Value = serde_json::from_slice(&body).unwrap_or_default();
+    assert_eq!(status_code, 400);
+    assert_eq!(response["code"], json!("malformed_payload"));
+    assert_eq!(response["type"], json!("invalid_request"));
+    assert_eq!(response["link"], json!("https://docs.meilisearch.com/errors#malformed_payload"));
+    assert_eq!(
+        response["message"],
+        json!(
+            r#"The json payload provided is malformed. `EOF while parsing an object at line 1 column 22`."#
+        )
+    );
+}
--- a/crates/meilisearch/tests/auth/tenant_token.rs
+++ b/crates/meilisearch/tests/auth/tenant_token.rs
@ -0,0 +1,568 @@
+use std::collections::HashMap;
+
+use ::time::format_description::well_known::Rfc3339;
+use maplit::hashmap;
+use once_cell::sync::Lazy;
+use time::{Duration, OffsetDateTime};
+
+use super::authorization::{ALL_ACTIONS, AUTHORIZATIONS};
+use crate::common::{Server, Value, DOCUMENTS};
+use crate::json;
+
+fn generate_tenant_token(
+    parent_uid: impl AsRef<str>,
+    parent_key: impl AsRef<str>,
+    mut body: HashMap<&str, Value>,
+) -> String {
+    use jsonwebtoken::{encode, EncodingKey, Header};
+
+    let parent_uid = parent_uid.as_ref();
+    body.insert("apiKeyUid", json!(parent_uid));
+    encode(&Header::default(), &body, &EncodingKey::from_secret(parent_key.as_ref().as_bytes()))
+        .unwrap()
+}
+
+static INVALID_RESPONSE: Lazy<Value> = Lazy::new(|| {
+    json!({
+        "message": null,
+        "code": "invalid_api_key",
+        "type": "auth",
+        "link": "https://docs.meilisearch.com/errors#invalid_api_key"
+    })
+});
+
+static ACCEPTED_KEYS: Lazy<Vec<Value>> = Lazy::new(|| {
+    vec![
+        json!({
+            "indexes": ["*"],
+            "actions": ["*"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["*"],
+            "actions": ["search"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["sales"],
+            "actions": ["*"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["sales"],
+            "actions": ["search"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["sal*", "prod*"],
+            "actions": ["search"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+    ]
+});
+
+static REFUSED_KEYS: Lazy<Vec<Value>> = Lazy::new(|| {
+    vec![
+        // no search action
+        json!({
+            "indexes": ["*"],
+            "actions": ALL_ACTIONS.iter().cloned().filter(|a| *a != "search" && *a != "*").collect::<Vec<_>>(),
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["sales"],
+            "actions": ALL_ACTIONS.iter().cloned().filter(|a| *a != "search" && *a != "*").collect::<Vec<_>>(),
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        // bad index
+        json!({
+            "indexes": ["products"],
+            "actions": ["*"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["prod*", "p*"],
+            "actions": ["*"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+        json!({
+            "indexes": ["products"],
+            "actions": ["search"],
+            "expiresAt": (OffsetDateTime::now_utc() + Duration::days(1)).format(&Rfc3339).unwrap()
+        }),
+    ]
+});
+
+macro_rules! compute_authorized_search {
+    ($tenant_tokens:expr, $filter:expr, $expected_count:expr) => {
+        let mut server = Server::new_auth().await;
+        server.use_admin_key("MASTER_KEY").await;
+        let index = server.index("sales");
+        let documents = DOCUMENTS.clone();
+        index.add_documents(documents, None).await;
+        index.wait_task(0).await;
+        index
+            .update_settings(json!({"filterableAttributes": ["color"]}))
+            .await;
+        index.wait_task(1).await;
+        drop(index);
+
+        for key_content in ACCEPTED_KEYS.iter() {
+            server.use_api_key("MASTER_KEY");
+            let (response, code) = server.add_api_key(key_content.clone()).await;
+            assert_eq!(code, 201);
+            let key = response["key"].as_str().unwrap();
+            let uid = response["uid"].as_str().unwrap();
+
+            for tenant_token in $tenant_tokens.iter() {
+                let web_token = generate_tenant_token(&uid, &key, tenant_token.clone());
+                server.use_api_key(&web_token);
+                let index = server.index("sales");
+                index
+                    .search(json!({ "filter": $filter }), |response, code| {
+                        assert_eq!(
+                            code, 200,
+                            "{} using tenant_token: {:?} generated with parent_key: {:?}",
+                            response, tenant_token, key_content
+                        );
+                        assert_eq!(
+                            response["hits"].as_array().unwrap().len(),
+                            $expected_count,
+                            "{} using tenant_token: {:?} generated with parent_key: {:?}",
+                            response,
+                            tenant_token,
+                            key_content
+                        );
+                    })
+                    .await;
+            }
+        }
+    };
+}
+
+macro_rules! compute_forbidden_search {
+    ($tenant_tokens:expr, $parent_keys:expr) => {
+        let mut server = Server::new_auth().await;
+        server.use_admin_key("MASTER_KEY").await;
+        let index = server.index("sales");
+        let documents = DOCUMENTS.clone();
+        index.add_documents(documents, None).await;
+        index.wait_task(0).await;
+        drop(index);
+
+        for key_content in $parent_keys.iter() {
+            server.use_api_key("MASTER_KEY");
+            let (response, code) = server.add_api_key(key_content.clone()).await;
+            assert_eq!(code, 201, "{:?}", response);
+            let key = response["key"].as_str().unwrap();
+            let uid = response["uid"].as_str().unwrap();
+
+            for tenant_token in $tenant_tokens.iter() {
+                let web_token = generate_tenant_token(&uid, &key, tenant_token.clone());
+                server.use_api_key(&web_token);
+                let index = server.index("sales");
+                index
+                    .search(json!({}), |mut response, code| {
+                        // We don't assert anything on the message since it may change between cases
+                        response["message"] = serde_json::json!(null);
+                        assert_eq!(
+                            response,
+                            INVALID_RESPONSE.clone(),
+                            "{} using tenant_token: {:?} generated with parent_key: {:?}",
+                            response,
+                            tenant_token,
+                            key_content
+                        );
+                        assert_eq!(
+                            code, 403,
+                            "{} using tenant_token: {:?} generated with parent_key: {:?}",
+                            response, tenant_token, key_content
+                        );
+                    })
+                    .await;
+            }
+        }
+    };
+}
+
+#[actix_rt::test]
+async fn search_authorized_simple_token() {
+    let tenant_tokens = vec![
+        hashmap! {
+            "searchRules" => json!({"*": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["*"]),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["sales"]),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"*": {}}),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!({"*": null}),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!(["*"]),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {}}),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": null}),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!(["sales"]),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!(["sa*"]),
+            "exp" => json!(null)
+        },
+    ];
+
+    compute_authorized_search!(tenant_tokens, {}, 5);
+}
+
+#[actix_rt::test]
+async fn search_authorized_filter_token() {
+    let tenant_tokens = vec![
+        hashmap! {
+            "searchRules" => json!({"*": {"filter": "color = blue"}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {"filter": "color = blue"}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"*": {"filter": ["color = blue"]}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {"filter": ["color = blue"]}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        // filter on sales should override filters on *
+        hashmap! {
+            "searchRules" => json!({
+                "*": {"filter": "color = green"},
+                "sales": {"filter": "color = blue"}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {},
+                "sales": {"filter": "color = blue"}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {"filter": "color = green"},
+                "sales": {"filter": ["color = blue"]}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {},
+                "sales": {"filter": ["color = blue"]}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+    ];
+
+    compute_authorized_search!(tenant_tokens, {}, 3);
+}
+
+#[actix_rt::test]
+async fn filter_search_authorized_filter_token() {
+    let tenant_tokens = vec![
+        hashmap! {
+            "searchRules" => json!({"*": {"filter": "color = blue"}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {"filter": "color = blue"}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"*": {"filter": ["color = blue"]}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {"filter": ["color = blue"]}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        // filter on sales should override filters on *
+        hashmap! {
+            "searchRules" => json!({
+                "*": {"filter": "color = green"},
+                "sales": {"filter": "color = blue"}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {},
+                "sales": {"filter": "color = blue"}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {"filter": "color = green"},
+                "sales": {"filter": ["color = blue"]}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {},
+                "sales": {"filter": ["color = blue"]}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({
+                "*": {},
+                "sal*": {"filter": ["color = blue"]}
+            }),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+    ];
+
+    compute_authorized_search!(tenant_tokens, "color = yellow", 1);
+}
+
+/// Tests that those Tenant Token are incompatible with the REFUSED_KEYS defined above.
+#[actix_rt::test]
+async fn error_search_token_forbidden_parent_key() {
+    let tenant_tokens = vec![
+        hashmap! {
+            "searchRules" => json!({"*": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"*": null}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["*"]),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": null}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["sales"]),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["sali*", "s*", "sales*"]),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+    ];
+
+    compute_forbidden_search!(tenant_tokens, REFUSED_KEYS);
+}
+
+#[actix_rt::test]
+async fn error_search_forbidden_token() {
+    let tenant_tokens = vec![
+        // bad index
+        hashmap! {
+            "searchRules" => json!({"products": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["products"]),
+            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"products": {}}),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!({"products": null}),
+            "exp" => json!(null)
+        },
+        hashmap! {
+            "searchRules" => json!(["products"]),
+            "exp" => json!(null)
+        },
+        // expired token
+        hashmap! {
+            "searchRules" => json!({"*": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() - Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"*": null}),
+            "exp" => json!((OffsetDateTime::now_utc() - Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["*"]),
+            "exp" => json!((OffsetDateTime::now_utc() - Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": {}}),
+            "exp" => json!((OffsetDateTime::now_utc() - Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!({"sales": null}),
+            "exp" => json!((OffsetDateTime::now_utc() - Duration::hours(1)).unix_timestamp())
+        },
+        hashmap! {
+            "searchRules" => json!(["sales"]),
+            "exp" => json!((OffsetDateTime::now_utc() - Duration::hours(1)).unix_timestamp())
+        },
+    ];
+
+    compute_forbidden_search!(tenant_tokens, ACCEPTED_KEYS);
+}
+
+#[actix_rt::test]
+async fn error_access_forbidden_routes() {
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+
+    let content = json!({
+        "indexes": ["*"],
+        "actions": ["*"],
+        "expiresAt": (OffsetDateTime::now_utc() + Duration::hours(1)).format(&Rfc3339).unwrap(),
+    });
+
+    let (response, code) = server.add_api_key(content).await;
+    assert_eq!(code, 201);
+    assert!(response["key"].is_string());
+
+    let key = response["key"].as_str().unwrap();
+    let uid = response["uid"].as_str().unwrap();
+
+    let tenant_token = hashmap! {
+        "searchRules" => json!(["*"]),
+        "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+    };
+    let web_token = generate_tenant_token(uid, key, tenant_token);
+    server.use_api_key(&web_token);
+
+    for ((method, route), actions) in AUTHORIZATIONS.iter() {
+        if !actions.contains("search") {
+            let (mut response, code) = server.dummy_request(method, route).await;
+            response["message"] = serde_json::json!(null);
+            assert_eq!(response, INVALID_RESPONSE.clone());
+            assert_eq!(code, 403);
+        }
+    }
+}
+
+#[actix_rt::test]
+async fn error_access_expired_parent_key() {
+    use std::{thread, time};
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+
+    let content = json!({
+        "indexes": ["*"],
+        "actions": ["*"],
+        "expiresAt": (OffsetDateTime::now_utc() + Duration::seconds(1)).format(&Rfc3339).unwrap(),
+    });
+
+    let (response, code) = server.add_api_key(content).await;
+    assert_eq!(code, 201);
+    assert!(response["key"].is_string());
+
+    let key = response["key"].as_str().unwrap();
+    let uid = response["uid"].as_str().unwrap();
+
+    let tenant_token = hashmap! {
+        "searchRules" => json!(["*"]),
+        "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+    };
+    let web_token = generate_tenant_token(uid, key, tenant_token);
+    server.use_api_key(&web_token);
+
+    // test search request while parent_key is not expired
+    let (mut response, code) = server.dummy_request("POST", "/indexes/products/search").await;
+    response["message"] = serde_json::json!(null);
+    assert_ne!(response, INVALID_RESPONSE.clone());
+    assert_ne!(code, 403);
+
+    // wait until the key is expired.
+    thread::sleep(time::Duration::new(1, 0));
+
+    let (mut response, code) = server.dummy_request("POST", "/indexes/products/search").await;
+    response["message"] = serde_json::json!(null);
+    assert_eq!(response, INVALID_RESPONSE.clone());
+    assert_eq!(code, 403);
+}
+
+#[actix_rt::test]
+async fn error_access_modified_token() {
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+
+    let content = json!({
+        "indexes": ["*"],
+        "actions": ["*"],
+        "expiresAt": (OffsetDateTime::now_utc() + Duration::hours(1)).format(&Rfc3339).unwrap(),
+    });
+
+    let (response, code) = server.add_api_key(content).await;
+    assert_eq!(code, 201);
+    assert!(response["key"].is_string());
+
+    let key = response["key"].as_str().unwrap();
+    let uid = response["uid"].as_str().unwrap();
+
+    let tenant_token = hashmap! {
+        "searchRules" => json!(["products"]),
+        "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+    };
+    let web_token = generate_tenant_token(uid, key, tenant_token);
+    server.use_api_key(&web_token);
+
+    // test search request while web_token is valid
+    let (response, code) = server.dummy_request("POST", "/indexes/products/search").await;
+    assert_ne!(response, INVALID_RESPONSE.clone());
+    assert_ne!(code, 403);
+
+    let tenant_token = hashmap! {
+        "searchRules" => json!(["*"]),
+        "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
+    };
+
+    let alt = generate_tenant_token(uid, key, tenant_token);
+    let altered_token = [
+        web_token.split('.').next().unwrap(),
+        alt.split('.').nth(1).unwrap(),
+        web_token.split('.').nth(2).unwrap(),
+    ]
+    .join(".");
+
+    server.use_api_key(&altered_token);
+    let (mut response, code) = server.dummy_request("POST", "/indexes/products/search").await;
+    response["message"] = serde_json::json!(null);
+    assert_eq!(response, INVALID_RESPONSE.clone());
+    assert_eq!(code, 403);
+}
--- a/crates/meilisearch/tests/auth/tenant_token_multi_search.rs
+++ b/crates/meilisearch/tests/auth/tenant_token_multi_search.rs