-
-
Notifications
You must be signed in to change notification settings - Fork 847
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[docs] Add warning about download token exposure relates to #3605 and #3396 #3609
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,6 +27,8 @@ Add the following to your `ios/Podfile`: | |
|
||
You will need to authorize your download of the Maps SDK with a secret access token with the `DOWNLOADS:READ` scope. This [guide](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials) explains how to configure the secret token under section `Configure your secret token`. | ||
|
||
For macOS consider using keychain to store secrets instead. There are cocoapods packages that store and allow secret injections for local builds. Something like [keychainaccess](https://cocoapods.org/pods/KeychainAccess) or [cocoapods-keys](https://github.com/orta/cocoapods-keys) could do this. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as above in general I don't see a problem with tokens in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep, only risk is it's a hardcoded string that can be read by other processes and apps on the machine. As mentioned above I can remove this. |
||
|
||
|
||
Run `pod install` to download the proper mapbox dependency. | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,22 +28,33 @@ After installing this package, add the [config plugin](https://docs.expo.io/guid | |
} | ||
``` | ||
|
||
### Setup Download Token | ||
|
||
You'll need to provide `RNMapboxMapsDownloadToken` as well. This secret token requires the `DOWNLOADS:READ` scope. You can refer to the [iOS guide](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials), which explains how to configure this token under the section `Configure your secret token`. | ||
|
||
```json | ||
{ | ||
"expo": { | ||
"plugins": [ | ||
[ | ||
"@rnmapbox/maps", | ||
{ | ||
"RNMapboxMapsDownloadToken": "sk.ey...qg" | ||
} | ||
] | ||
] | ||
} | ||
} | ||
``` | ||
1. Recommended Approach. Follow the guidelines listed in the offical mapbox-gl guide for [iOS](https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials) and [android](https://docs.mapbox.com/android/maps/guides/install/). | ||
- For internal docs go to [ios-install](../ios/install.md) [android-install](../android/install.md) | ||
|
||
2. Alternative approach **for private repos only**. | ||
- :warning: If this is a public repo **DO NOT follow this approach as this will expose the mapbox download token**. Furthermore if the token has addition permissions (which it should not) it could lead to a monitary cost, security risk (stolen tiles etc) :warning:. | ||
- **FYI** _Publicizing this private download token is against mapbox policy._ | ||
- Running expo prebuild, a require step, will statically generate the token within ios/Podfile and android/build.gradle. These files typically need to be committed for functionality so be sure that you are okay with sharing these tokens with your **private** team. | ||
Comment on lines
+35
to
+41
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see the following issues:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @FrederickEngelhardt also the docs from rnmapbox.github.io. are in the https://github.com/rnmapbox/maps-docs/ repo There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yikes, my familiarity with EAS is minimal. I'll need to familiarize myself with it a bit. So with EAS android and ios repos are to be ignored? IE git can have those directories ignored? |
||
|
||
```json | ||
{ | ||
"expo": { | ||
<!-- "plugins": [ --> | ||
[ | ||
"@rnmapbox/maps", | ||
{ | ||
<!-- WARNING This WILL BE PUBLIC if on a public repo --> | ||
"RNMapboxMapsDownloadToken": "sk.ey...qg" | ||
} | ||
] | ||
] | ||
} | ||
} | ||
``` | ||
|
||
If you want to show the user's current location on the map with the [UserLocation](../docs/UserLocation.md) component, you can use the [expo-location](https://docs.expo.dev/versions/latest/sdk/location/) plugin to configure the required `NSLocationWhenInUseUsageDescription` property. Install the plugin with `npx expo install expo-location` and add its config plugin to the plugins array of your `app.{json,config.js,config.ts}`: | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's awesome thanks, but I'm concerned about the added complexity. In general we recommend storing your tokens in ~/.netrc and ~/.gradle/gradle.properties, which should be good for most cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I can remove this. Those defined sections are good. Plus keystore does not transfer good across machines without an automation script to generate it.