Proposal: Pull API key from app.json / share with react-native-mapsSee original GitHub issue
Using the API key as a prop presents obvious security issues. The key should be able to be pulled from
app.json just as with
I have a feeling this isn’t something that is easy to do, but as it is currently it presents an issue that controls on the API key associated with things like the
bundleIdentifier probably don’t work as expected.
The best solution I can conceive is not making the prop required and using it from a dependency from
react-native-maps, since this is required anyway.
I’m going to experiment with this on my own and I believe that as long as
MapView (or another component which relies on an API key) is part of your component and wraps
MapViewDirections it shouldn’t be necessary to use the key directly.
Obviously, this means a bit of a rewrite on
react-native-maps-directions to not request the key, but there must be some way to code around it.
- Created 4 years ago
- Comments:6 (5 by maintainers)
Top GitHub Comments
Decided to comment over here instead of opening a new issue. The idea is that to properly secure the API keys, the API calls should be native, not from JS. With the API calls triggered from JS, one cannot restrict API usage, so if the key is “stolen”, doesn’t matter how, it is compromised.
Thanks for your report and follow-up. I’m closing this issue, as:
app.jsonis something specific to Expo, and not React Native in itself.
MapViewDirectionscomponent itself does not store the API key — It only gets it injected at runtime through a prop.
As a user of this component you can decide yourself where you want to store it. Be it in
app.json, a config-file using
react-native-config, an API call to your own API that you do upfront, etc. Securing those locations falls outside the scope of