No way to restrict API keys

[webraptor]

Since this is done outside of NativeModules, one cannot restrict the API key, which is a huge security issue. If the api keys in use are intercepted everyone could use them and the bill would fall on us.

[Yasser-G]

To restrict an API key:

1. Go to the Google Cloud Platform Console.
2. From the Project drop-down menu, select the project that contains the API key you want to secure.
3. From the Navigation menu, select APIs & Services > Credentials.
4. On the Credentials page, click the name of the API key that you want to secure.
5. On the Restrict and rename API key page, set the restrictions:
   • Application restrictions
   • Select IP addresses (web servers, cron jobs, etc.).
   • Add the server IP addresses (see the examples).
   • API restrictions
   • Select Restrict key.
   • Click Select APIs and select Geocoding API. (If there are other enabled APIs you want to use with this key, select them as well.)
     • Click SAVE.

[pmierzejewski]

@Yasser-G how can you make it work since every device has different IP? in case of mobile apps we could restrict it via bundle ID but it wouldn't work here since it don't use native modules :/

[webraptor]

@Yasser-G yeah, @pmierzejewski is correct. That wouldn't work so if anyone's reading the above comment, don't bother.

[MuhammadAhmedHassan]

To get the data you just have to send request to this following url: https://maps.google.com/maps/api/geocode/json?key=YOU_API_KEY&latlng=LAT,LNG

You can send request from your server or firebase or AWS lambda function and use it on the frontend, that way you'll have to specify only one IP_ADDRESS or DOMAIN_NAME. And your API_KEY will be secured.

I know this will cause some latency but that latency is better than giving credit card to the hacker.