Prevent our Mapbox API token being abused

[nicolas-raoul]

There is a possibility that Vivek's Mapbox API token was used by a bad actor, costing 480 USD.

While it is not possible to prevent bad actors from sniffing network and getting our new token, maybe there are ways to make that less easy and to make the token less usable?

1. Set Restrict this token to specific URLs and set a Referer header to our requests. Not sure it is supported, but worth trying.
2. Remove the token from GitHub even if it makes it more difficult for new developers to get started (each developer has to register at Mapbox and create their own token). A lighter strategy could be to have two tokens (owned by two core developers), one for GitHub/development and one for releases, to reduce the possibility that we need to revoke production, and so that we can easily distinguish between abuse and actual app growth.

[nicolas-raoul]

I replaced the token at https://github.com/commons-app/apps-android-commons/blob/main/app/src/main/res/values/strings.xml with a "disposable" token that I can quickly delete if some GitHub-crawling baddy abuses it, without impacting production.

@sivaraam When releasing please replace with the former token (I can also send it to you in private anytime), without committing that file. Would you mind adding this (and any other tip you have) to https://github.com/commons-app/commons-app-documentation/blob/master/android/Project-maintenance.md? :-)

[sivaraam]

I replaced the token at https://github.com/commons-app/apps-android-commons/blob/main/app/src/main/res/values/strings.xml with a "disposable" token that I can quickly delete if some GitHub-crawling baddy abuses it, without impacting production.

Sounds like a good first step, Nicolas. 👍🏼

@sivaraam When releasing please replace with the former token (I can also send it to you in private anytime), without committing that file.

Sure. Feel free to send it to me when possible.

Would you mind adding this (and any other tip you have) to https://github.com/commons-app/commons-app-documentation/blob/master/android/Project-maintenance.md? :-)

Yeah. I'll add the same, Nicolas. I have a few tweaks to the doc which could be found in another branch: https://github.com/commons-app/commons-app-documentation/blob/maintenance-tweaks/android/Project-maintenance.md

I'll make sure to add this too and raise a PR.

[nicolas-raoul]

Bad news, the Commons-GitHub new token (which I created and posted to GitHub on November 7) just received a Raster Tiles API request from Python, which could be a probe before sending real traffic...
The good thing is that this token can be deleted and replaced at any time without any production impact (done just now).
It might be just a misclassification, but I will keep monitoring closely.

On the other hand, the production token seems safe so far, with peak activity on weekends, highest day at 4707 requests, highest week at 23,733 so far. As users continue to update their app version, weekly average may reach 40,000 per week, just below the 200,000 monthly free tier:

[mnalis]

@sivaraam When releasing please replace with the former token (I can also send it to you in private anytime), without committing that file

Would that affect f-droid builds?

[nicolas-raoul]

@mnalis Yes, F-Droid might not have functioning maps if we need to change the GitHub-stored key often (as happened already twice in a month). F-Droid might want to create an API key and keep it somewhere relatively secret. I expect F-Droid-generated map traffic to be well under the limit of the free tier. Hopefully we will switch to a community-provided map solution soon and get rid of these keys.

[sivaraam]

Closing this given the release of v5.0.1 in which we replaced Mapbox totally with osmdroid.

[nicolas-raoul]

Fantastic, thanks to everyone involved!