You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding the download key RNMapboxMapsDownloadToken to expo's App.json / app.config.js cause it to publish to the podfile and gradle.properties file.
I had the key abstracted to a local config file. But expo prebuild does not know these items are secrets so it adds them to the Podfile and gradle file which normally need to be committed.
Should I be ignoring the gradle properties and podfile for xcode projects that are auto-generating some things?
Workaround / Security Doc update
If this is not intended...
I think we should update the docs to protect these keys. The download key exposure seems to be low risk for now, but could get your banned if a bad actor took the key and spammed the api.
We can add docs or point to docs about .netrc (ios) and local.properties for android.
Environment
Latest expo 51 (as a development build) with RN74.
Steps to reproduce
Add the config key. Run expo prebuild and see the key be added to the android/gradle.properties and ios/Podfile
Publish it to github public and get a warning about exposing download keys. 😢
A PR with a warning in docs would be great. Also a PR addressing this correctly with Env vars would be also nice. You can also consider not checking in iOS and android to your ci, but even then the secrets will be in built product’s eas.json I think.
…and rnmapbox#3396 github issues
- Reference to the android and iOS mapbox token setup guides for token creation and mention this is the recommended solution for public repos otherwise it violates mapbox private download token policies
- Add alternative keychain solution for android which completely abstracts the key and removes risk of token theft via plain text.
Adding the download key
RNMapboxMapsDownloadToken
to expo's App.json / app.config.js cause it to publish to the podfile and gradle.properties file.I had the key abstracted to a local config file. But expo prebuild does not know these items are secrets so it adds them to the Podfile and gradle file which normally need to be committed.
Questions
Workaround / Security Doc update
If this is not intended...
.netrc
(ios) andlocal.properties
for android.Environment
Latest expo 51 (as a development build) with RN74.
Steps to reproduce
expo prebuild
and see the key be added to the android/gradle.properties and ios/PodfileYou can try it on this repo. https://github.com/VirtualizeLLC/examples. Add the key to the
apps/mapbox/app.config.js
or make a .local.config and add the key there.Afterwards run
nx run mapbox:prebuild --clean
it should add the download keys.The text was updated successfully, but these errors were encountered: