The purpose of tokens.txt

[ben-z]

When I first saw the file structure, I thought that tokens.txt is supposed to provide a way to obtain the api keys on the client without revealing them. But on http://goose-watch.uwaterloo.ca/, the access to tokens.txt doesn't seem to be encrypted in any way (I see that the agol_client_id starts with t3E7JqOoS).

Doesn't that mean anyone could take those keys, tamper with them, and break this wonderful application?

Please enlighten me with the ways of UW.

[jmccarth]

@ben-z Thanks for your feedback. You're correct that tokens.txt should be hidden better and not be so easy to read, but ultimately those keys are loaded into the JS application and anyone opening developer tools/firebug/etc could find them pretty easily anyway. There's probably a better approach, but for an application that only gets traffic for a couple of months of the year I just haven't had the time to do a better security job.

Ultimately, those keys could be useful to someone who knows what their way around the mapping APIs we use, but the datasets themselves are archived and under source control so rolling back to a previous state is relatively painless. And the points all undergo manual review before being added to the UW Open Data API.

Nonetheless I'll leave this issue open because it is something I want to address before people start visiting this app again next spring. I have a possible solution in mind, but I should also do more research into how people build applications using client side API keys without exposing them.

As for any enlightenment on the ways of UW, there's no magic here. Just a developer doing this as a learning exercise and trying to efficiently spend his time.

[ben-z]

Thank you @jmccarth for the explanation, I look forward to living among these human-attacking gooses in a couple of months!