Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RNMapboxMapsDownloadToken is exposed when using expo:prebuild under build.gradle and podfile #3605

Open
FrederickEngelhardt opened this issue Sep 1, 2024 · 3 comments · May be fixed by #3609

Comments

@FrederickEngelhardt
Copy link
Contributor

Adding the download key RNMapboxMapsDownloadToken to expo's App.json / app.config.js cause it to publish to the podfile and gradle.properties file.

I had the key abstracted to a local config file. But expo prebuild does not know these items are secrets so it adds them to the Podfile and gradle file which normally need to be committed.

// eslint-disable-next-line @nx/enforce-module-boundaries
const localConfig = require('../../.local.config.js')
const expoConfig = {
    plugins: [
    ...
      [
        '@rnmapbox/maps',
        {
          RNMapboxMapsVersion: '11.4.0',
          RNMapboxMapsDownloadToken:
            localConfig.mapbox.RNMapboxMapsDownloadToken,
        },
      ]
    ]

Questions

  1. Is this intended?
  2. Should I be ignoring the gradle properties and podfile for xcode projects that are auto-generating some things?

Workaround / Security Doc update

If this is not intended...

  • I think we should update the docs to protect these keys. The download key exposure seems to be low risk for now, but could get your banned if a bad actor took the key and spammed the api.
  • We can add docs or point to docs about .netrc (ios) and local.properties for android.

Environment

Latest expo 51 (as a development build) with RN74.

Steps to reproduce

  1. Add the config key. Run expo prebuild and see the key be added to the android/gradle.properties and ios/Podfile
  2. Publish it to github public and get a warning about exposing download keys. 😢

You can try it on this repo. https://github.com/VirtualizeLLC/examples. Add the key to the apps/mapbox/app.config.js or make a .local.config and add the key there.

Afterwards run nx run mapbox:prebuild --clean it should add the download keys.

@mfazekas
Copy link
Contributor

mfazekas commented Sep 1, 2024

See also:

#3396

A PR with a warning in docs would be great. Also a PR addressing this correctly with Env vars would be also nice. You can also consider not checking in iOS and android to your ci, but even then the secrets will be in built product’s eas.json I think.

@FrederickEngelhardt
Copy link
Contributor Author

I'll look at making a PR. May also want to add something to expo for this. Secret handling especially for open source needs to be prioritized.

FrederickEngelhardt added a commit to FrederickEngelhardt/rnmapbox-maps that referenced this issue Sep 2, 2024
…and rnmapbox#3396 github issues

- Reference to the android and iOS mapbox token setup guides for token creation and mention this is the recommended solution for public repos otherwise it violates mapbox private download token policies
- Add alternative keychain solution for android which completely abstracts the key and removes risk of token theft via plain text.
@FrederickEngelhardt
Copy link
Contributor Author

Done in #3609 🎉 . Let's follow up there. Let's close this issue once that PR is accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants