Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Referer parameter #558

Closed
3 tasks done
lukBakTsh opened this issue May 18, 2020 · 3 comments · Fixed by #526 or #562
Closed
3 tasks done

Referer parameter #558

lukBakTsh opened this issue May 18, 2020 · 3 comments · Fixed by #526 or #562
Labels
bug

Comments

@lukBakTsh
Copy link

lukBakTsh commented May 18, 2020
edited
Loading

Question

How to use the referer parameter correctly?
If this parameter works only for the Web, how can I restrict access to the key for the Android/iOS app?

My current settings:

<GooglePlacesAutocomplete
  referer="http://example.com"
/>

and http://example.com item in the GCP -> Application restrictions -> HTTP referrers for Google Places API

Response

API keys with referer restrictions can not be used with this API

Where is this problem happening

  • iOS
  • Android

If you are using expo please indicate here:

  • I am using expo

Version Information

  • Library Version: 1.6.1
@bell-steven bell-steven added bug and removed question labels May 19, 2020
@bell-steven
Copy link
Collaborator

Hey @lukBakTsh thanks for the report and for following the issue template.
I just tried this, and this is definitely an issue. This was added recently (before I started maintaining the package, so I never tested this).

I pinged the author of the PR for this, i'll update this if/when I hear back.

@bell-steven bell-steven linked a pull request May 19, 2020 that will close this issue
Handle invalid origin parameter for Restricted API Key #526
Merged
@bell-steven bell-steven mentioned this issue May 19, 2020
Merged
@sapter
Copy link
Contributor

sapter commented May 19, 2020

@bell-steven
The prop referrer is correct. Meaning that the Places API being intended by Google to be for web does accept that prop. That said, it is true that using it in an iOS/Android app makes no sense and will not pass the referrer validation. That is because the whole idea of adding that prop is to restrict the use of your API key to only those who come from your own website/webapp. However, adding that restriction in a (non-web) app defeats that purpose as you're NOT coming from ANY website - instead, you're coming from an app. However, it will work in web apps and React Native Web

In short, the prop works as intended and referrer="http://example.com" does indeed check if you came from example.com, and correctly returns API keys with referrer restrictions can not be used with this API because it cannot determine what website you came from because you didn't come from a website but from an app.

What to do?
One option is to leave as is and rely on developers to have the common sense to not add referrer restrictions in native apps and only use it in web apps. Another option is to make it fool-proof and add the referrer restriction only in web apps. I've created a PR for that. See #561

@sapter sapter mentioned this issue May 19, 2020
Merged
This was linked to pull requests May 19, 2020
fix(referrer prop) restrict referrer prop to web only #561
Closed
remove referer prop #562
Merged
@bell-steven
Copy link
Collaborator

@lukBakTsh I removed the referrer prop, as there doesn't seem to be any way to make it work without the Google SDKs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
3 participants
@bell-steven @sapter @lukBakTsh