-
-
Notifications
You must be signed in to change notification settings - Fork 848
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[docs] Add warning about download token exposure relates to #3605 and #3396 #3609
base: main
Are you sure you want to change the base?
Conversation
…and rnmapbox#3396 github issues - Reference to the android and iOS mapbox token setup guides for token creation and mention this is the recommended solution for public repos otherwise it violates mapbox private download token policies - Add alternative keychain solution for android which completely abstracts the key and removes risk of token theft via plain text.
@@ -36,6 +36,35 @@ allprojects { | |||
} | |||
``` | |||
|
|||
#### Maven Token with keychain |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's awesome thanks, but I'm concerned about the added complexity. In general we recommend storing your tokens in ~/.netrc and ~/.gradle/gradle.properties, which should be good for most cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I can remove this. Those defined sections are good. Plus keystore does not transfer good across machines without an automation script to generate it.
@@ -27,6 +27,8 @@ Add the following to your `ios/Podfile`: | |||
|
|||
You will need to authorize your download of the Maps SDK with a secret access token with the `DOWNLOADS:READ` scope. This [guide](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials) explains how to configure the secret token under section `Configure your secret token`. | |||
|
|||
For macOS consider using keychain to store secrets instead. There are cocoapods packages that store and allow secret injections for local builds. Something like [keychainaccess](https://cocoapods.org/pods/KeychainAccess) or [cocoapods-keys](https://github.com/orta/cocoapods-keys) could do this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above in general I don't see a problem with tokens in ~/.netrc
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, only risk is it's a hardcoded string that can be read by other processes and apps on the machine. As mentioned above I can remove this.
1. Recommended Approach. Follow the guidelines listed in the offical mapbox-gl guide for [iOS](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials) and [android](https://docs.mapbox.com/android/maps/guides/install/). | ||
- For internal docs go to [ios-install](../ios/install.md) [android-install](../android/install.md) | ||
|
||
2. Alternative approach **for private repos only**. | ||
- :warning: If this is a public repo **DO NOT follow this approach as this will expose the mapbox download token**. Furthermore if the token has addition permissions (which it should not) it could lead to a monitary cost, security risk (stolen tiles etc) :warning:. | ||
- **FYI** _Publicizing this private download token is against mapbox policy._ | ||
- Running expo prebuild, a require step, will statically generate the token within ios/Podfile and android/build.gradle. These files typically need to be committed for functionality so be sure that you are okay with sharing these tokens with your **private** team. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the following issues:
- You're recommended approach doesn't work with
eas
that is the recommended way to build apps - You make the assumption that a public expo repo needs the
iOS
andandroid
generated code checked in, I don't see why you'd want that. Most would use eas where they'd not see iOS and android generated at all. - You don't mention that .apk itself will have the token built in when using eas which is the biggest issue I think: Expo Prebuild Secret Key #3396 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@FrederickEngelhardt also the docs from rnmapbox.github.io. are in the https://github.com/rnmapbox/maps-docs/ repo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yikes, my familiarity with EAS is minimal. I'll need to familiarize myself with it a bit.
So with EAS android and ios repos are to be ignored? IE git can have those directories ignored?
I am also having troubles hiding my secret key when building my app with |
If you don't set RNMapboxMapsDownloadToken and set your secret token in your .netrc and gradle.properties does that work? RNMapboxMapsDownloadToken was implemented for remote build on eas. |
Do you mean my global gradle.properties? Because Ive done it like this: Is there a better way of handling it? |
Right so I think I need to
Something like... If the app requires OR commits native directories publicly, then usage of (ios) Apps would require committing their ios or android directories only if they did the following
Am I missing anything for these requirements? Possible alternatives
|
Description
Fixes #3605 #3396
Checklist
CONTRIBUTING.md
yarn generate
in the root folder/example
app./example
)