[openstreetmap/openstreetmap-website] API key dispenser (#2145)

mmd notifications at github.com
Sat Feb 16 17:39:06 UTC 2019

> Would it make sense for API keys to expire if not renewed regularly?

Most definitely yes.

As it stands, allowing API keys to be embedded in an Overpass query (e.g. 
`[api_key:"e10359b7d832e21c04c3aa17cbab45c37d7d6244"];`) is asking for trouble. An unsuspecting user may hit the "Share" button in overpass turbo, at which time that key can be trivially harvested by any third party.

overpass turbo's share links were never designed to store any kind of secret information. What's worse, once the API key has leaked this way, the unsuspecting user still has absolutely no idea that someone else might abuse their API key (!).

I find it really hard to imagine that all users manage to keep their API key secret, and know when to create a new API key which would then invalidate their old API key.

Time limiting any kind of token would be one essential step to limit the effects of a leaked token.


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20190216/0de8221f/attachment.html>

More information about the rails-dev mailing list