search

mapbox / mapbox-gl-js

Interactive, thoroughly customizable maps in the browser, powered by vector tiles and WebGL
https://docs.mapbox.com/mapbox-gl-js/
Other
11.22k stars 2.23k forks source link

Using Temporary Access Tokens #12623

Open andrewjknapp opened 1 year ago

andrewjknapp commented 1 year ago

mapbox-gl-js version:

Question

Is it possible to update the access token that a map is using while that map is rendered?

I have been tasked with ensuring there are no long-lived access tokens that are used within our front end code. I have been able to set up a system to fetch a new temporary Mapbox access token each time our app is visited which allows the user to load the map which works as expected.

However the maximum time that these temporary access tokens can be valid (so far as I can find) is 1 hour. After that token expires then no new section of the map can be loaded as the calls to the Mapbox api fail.

My plan was to watch for an error on the onError method of the map and when errors related to an unauthenticated token arise I could then fetch a new temporary access token and use that instead.

The problem is I have not been able to find a way to update which access token the map uses.

Overall my question is

Thank you for any advice, I have been working on this for a few weeks now so I thought it would be best to ask here. Let me know if there is any other information I can provide to help out with this question

Links to related documentation

Temporary Token generation: https://docs.mapbox.com/help/tutorials/get-started-tokens-api/

stepankuzmin commented 1 year ago

Hi @andrewjknapp,

To better understand your specific, please elaborate more on your use case.

  1. Why does your organization require temporary access tokens instead of long-lived ones? Are there specific security concerns or other reasons that mandate using temporary tokens?
  2. Are there any restrictions, policies, or requirements within your organization that prevent you from using long-lived access tokens in conjunction with other security measures, such as token rotation or additional access controls?
  3. Is your application's audience primarily internal users within your organization or external users such as clients or customers? This information might be helpful to help us understand the security constraints you're working with and offer some other suggestions.

Have you considered using long-lived tokens with URL restrictions to enhance security? https://docs.mapbox.com/accounts/guides/tokens/#url-restrictions

Thanks!

ytetsuro commented 5 months ago

@stepankuzmin

Thanks! Me too. I want using temporary access tokens.

Why does your organization require temporary access tokens instead of long-lived ones? Are there specific security concerns or other reasons that mandate using temporary tokens?

Short-lived TOKENs are better than long-lived TOKENs, as there is less impact on the system if the TOKEN has to be changed.

Are there any restrictions, policies, or requirements within your organization that prevent you from using long-lived access tokens in conjunction with other security measures, such as token rotation or additional access controls?

Don't you think that users who know the public token can divert the public token by creating a back-end service that tampers with the referrer?

Is your application's audience primarily internal users within your organization or external users such as clients or customers? This information might be helpful to help us understand the security constraints you're working with and offer some other suggestions.

the latter.

Currently, the only way I can confirm that I can use temporary tokens is to use service worker to listen to fetch and replace the access_token. However, if I don't have to use the service worker, I don't want to.

popescu-af commented 4 months ago

@stepankuzmin

Have you considered using long-lived tokens with URL restrictions to enhance security? https://docs.mapbox.com/accounts/guides/tokens/#url-restrictions

Unfortunately the URL-restrictions do not really help much as one can just add a Referer or Origin header to the request, pointing to an allowed domain. I just tested this in the terminal and was able to download a tile, which means anyone can create extra costs for the mapbox account holder.

Even rotations are not enough as their period has to be long enough to not generate too many extra map loads for the clients (which again are extra costs). So a long enough operational period gives an "intruder" enough time to, again, use the token and generate extra illicit costs.

popescu-af commented 4 months ago

@ytetsuro

Currently, the only way I can confirm that I can use temporary tokens is to use service worker to listen to fetch and replace the access_token. However, if I don't have to use the service worker, I don't want to.

What do you mean by service worker? Some component that manages temporary tokens and makes sure to refresh them? How do you update the token for an existing Map instance without causing a reload?