fix(security): move mapbox token to env variable #2619
+56
−33
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Even though the token is sent with all client-side requests, it's good practice to keep tokens like this in an environment variable. `MAPBOX_ACCESS_TOKEN=XXXXXX` needs to be defined in the root `.env` file. See https://ghe/HMDA-Operations/hmda-devops/issues/4812
contolini
force-pushed
the
4812-mapbox-token
branch
from
36b32e9 to
b4ade60
Compare
contolini
force-pushed
the
4812-mapbox-token
branch
from
b4ade60 to
efc02d3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a Mapbox environment variable that Vite injects at build time. Even though the token is sent with all client-side requests and not a secret, it's good practice to keep tokens like this in an environment variable.
See #4812
Fixes #2479
Changes
MAPBOX_ACCESS_TOKENneeds to be defined in the root.envfile..env.examplefile with placeholder variables.Testing
yarn buildandyarn startshould work as expected whenMAPBOX_ACCESS_TOKENis defined and fail when it's undefined.Notes
VITE_but IMHO it's confusing and ugly to name the variableVITE_MAPBOX_ACCESS_TOKENso I manually defined the variable in Vite's config per their guidance.import.metausage so I edited its config to ignore it. Modern versions of ECMAScript are fine with it but if we set"ecmaVersion": "latest"in our ESLint config, it throws a bajillion other errors because the app's coding style is antiquated.