We recently got an email from Google saying we got an api key committed to source (https://github.com/akvo/akvo-flow/blob/1b892b0d8fe92c082c5204eaf8ce046ccb4e80f7/Dashboard/app/js/lib/main.js). This was added a very long time ago in 2013. We investigated the issue and the key lives on an account related to billing and that account details now are added to 1password. The key is restricted for usage on Akvo domains. But only very early domains. To my understanding Google maps are not used on any Flow instance at the moment.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Context
We recently got an email from Google saying we got an api key committed to source (https://github.com/akvo/akvo-flow/blob/1b892b0d8fe92c082c5204eaf8ce046ccb4e80f7/Dashboard/app/js/lib/main.js). This was added a very long time ago in 2013. We investigated the issue and the key lives on an account related to billing and that account details now are added to 1password. The key is restricted for usage on Akvo domains. But only very early domains. To my understanding Google maps are not used on any Flow instance at the moment.
Problem or idea
We should delete the key from source.
Solution or next step
We could adopt https://github.com/akvo/akvo-flow/blob/master/GAE/src/org/waterforpeople/mapping/app/web/EnvServlet.java and expose a possible api key. But, if no one is using Google maps then do we really need to generate a key? Maybe it's just to remove the key from source and maybe also retire the API key if it's not used.