[docs] Add warning about download token exposure relates to #3605 and #3396 #3609
Conversation
…and rnmapbox#3396 github issues - Reference to the android and iOS mapbox token setup guides for token creation and mention this is the recommended solution for public repos otherwise it violates mapbox private download token policies - Add alternative keychain solution for android which completely abstracts the key and removes risk of token theft via plain text.
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
FrederickEngelhardt
had a problem deploying
to
CI with Mapbox Tokens
GitHub Actions
Failure
| @@ -36,6 +36,35 @@ allprojects { | |||
| } | |||
| ``` | |||
|
|
|||
| #### Maven Token with keychain | |||
There was a problem hiding this comment.
It's awesome thanks, but I'm concerned about the added complexity. In general we recommend storing your tokens in ~/.netrc and ~/.gradle/gradle.properties, which should be good for most cases.
There was a problem hiding this comment.
Yeah I can remove this. Those defined sections are good. Plus keystore does not transfer good across machines without an automation script to generate it.
| @@ -27,6 +27,8 @@ Add the following to your `ios/Podfile`: | |||
|
|
|||
| You will need to authorize your download of the Maps SDK with a secret access token with the `DOWNLOADS:READ` scope. This [guide](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials) explains how to configure the secret token under section `Configure your secret token`. | |||
|
|
|||
| For macOS consider using keychain to store secrets instead. There are cocoapods packages that store and allow secret injections for local builds. Something like [keychainaccess](https://cocoapods.org/pods/KeychainAccess) or [cocoapods-keys](https://github.com/orta/cocoapods-keys) could do this. | |||
There was a problem hiding this comment.
Same as above in general I don't see a problem with tokens in ~/.netrc.
There was a problem hiding this comment.
Yep, only risk is it's a hardcoded string that can be read by other processes and apps on the machine. As mentioned above I can remove this.
| 1. Recommended Approach. Follow the guidelines listed in the offical mapbox-gl guide for [iOS](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials) and [android](https://docs.mapbox.com/android/maps/guides/install/). | ||
| - For internal docs go to [ios-install](../ios/install.md) [android-install](../android/install.md) | ||
|
|
||
| 2. Alternative approach **for private repos only**. | ||
| - :warning: If this is a public repo **DO NOT follow this approach as this will expose the mapbox download token**. Furthermore if the token has addition permissions (which it should not) it could lead to a monitary cost, security risk (stolen tiles etc) :warning:. | ||
| - **FYI** _Publicizing this private download token is against mapbox policy._ | ||
| - Running expo prebuild, a require step, will statically generate the token within ios/Podfile and android/build.gradle. These files typically need to be committed for functionality so be sure that you are okay with sharing these tokens with your **private** team. |
There was a problem hiding this comment.
I see the following issues:
- You're recommended approach doesn't work with
easthat is the recommended way to build apps - You make the assumption that a public expo repo needs the
iOSandandroidgenerated code checked in, I don't see why you'd want that. Most would use eas where they'd not see iOS and android generated at all. - You don't mention that .apk itself will have the token built in when using eas which is the biggest issue I think: Expo Prebuild Secret Key #3396 (comment)
There was a problem hiding this comment.
@FrederickEngelhardt also the docs from rnmapbox.github.io. are in the https://github.com/rnmapbox/maps-docs/ repo
There was a problem hiding this comment.
Yikes, my familiarity with EAS is minimal. I'll need to familiarize myself with it a bit.
So with EAS android and ios repos are to be ignored? IE git can have those directories ignored?
|
I am also having troubles hiding my secret key when building my app with |
If you don't set RNMapboxMapsDownloadToken and set your secret token in your .netrc and gradle.properties does that work? RNMapboxMapsDownloadToken was implemented for remote build on eas. |
Do you mean my global gradle.properties? Because Ive done it like this: Is there a better way of handling it? |
|
Right so I think I need to
Something like... If the app requires OR commits native directories publicly, then usage of (ios) Apps would require committing their ios or android directories only if they did the following
Am I missing anything for these requirements? Possible alternatives
|
Description
Fixes #3605 #3396
Checklist
CONTRIBUTING.mdyarn generatein the root folder/exampleapp./example)