You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As also mentioned in another related issue, using Google API Keys is troublesome specially when stored in a javascript file (that anyone can read).
Instead, Google suggests using a Service Account; so any server-side code is actually authenticating to Google (using a private key or certificate), receives a temporary access_token which can then be passed to the URLs when accessing Google Services.
In the Geolocator config, only a Google API Key can be specified - could this be extended to allow an access_token which will then be instead used on URLs instead of the Key=xxx parameter?
I think that would solve a lot of security issues as well as enable all Google Services to work (at least for those ready to add a server-side component for the authentication)
Cheers
The text was updated successfully, but these errors were encountered:
As also mentioned in another related issue, using Google API Keys is troublesome specially when stored in a javascript file (that anyone can read).
Instead, Google suggests using a Service Account; so any server-side code is actually authenticating to Google (using a private key or certificate), receives a temporary access_token which can then be passed to the URLs when accessing Google Services.
In the Geolocator config, only a Google API Key can be specified - could this be extended to allow an access_token which will then be instead used on URLs instead of the Key=xxx parameter?
I think that would solve a lot of security issues as well as enable all Google Services to work (at least for those ready to add a server-side component for the authentication)
Cheers
The text was updated successfully, but these errors were encountered: