Plugins that require 3rd-party API keys

[johnd0e]

In fact we have already included some:

• Bing (hardcoded api key, seems enough for current usage)
• Yandex (api key usage will be forced soon)

And there are also some plugins that are currently excluded from official list, because their backend services at some point started to require API keys

• HERE (former Nokia)
• Thunderforest (opencyclemap)
• MapBox
• MapQuest
• ...

In most cases we can't predefine api keys. But every user can come and get own key.

So the issue: we need user-friendly way to enter custom key into iitc/plugin.

[johnd0e]

As every plugin is js-script, users could edit source code (to add api key) themselves. But it wouldn't be good, as every update of plugin will brake such customization.
More proper way'd be to add api-keys customization separately (in separate plugin, which sole function'd be to override api-key).

But it is definitely not friendly way.
So we need some dialog-based way, ideally - common for all plugins.

And it would be useful not only for api-keys overriding.

[Aradiv]

The APIKeys should be stored in a secure way like with GM_set/getValue so only the Plugins owning the APIKey can read it.
#355

[johnd0e]

In most cases apikeys are not top secret. And it's not easy to secure them from other scripts (#354 (comment)).

So opening this issue I've rather meant some user-friendly UI, like #336 (comment)

[Aradiv]

yes it is possible to combine both:

just register apiKey handlers to the UI that are able to set secure apikeys this way we can have a user friendly UI with secured apikeys.

The problem with apikeys is that often the services only have a limited free tier and by exposing the apikey you can easily create a lot of costs for the apikey owner.

So we definatly should make plugins that require ApiKeys like this as secure as possible

[johnd0e]

Api key are typically designed to belong to whole application, with all it's users.
So if you use own key only for yourself you rarely face with limits.

Api keys typically are limited by specified host, and have no value beyond it.

I never heard about malicious scripts scraping intel.ingress.com for some api keys.

Most of userscripts are open-sourced, and just cannot hide such code.

Thus in 99% cases we do not need extreme security. And this issue is about these 99%, where we just need conventional way of redefine some option.

I'm sure that there can be special cases where we really need to secure some data. Obviously that cannot be done in convenient way, with some common settings dialog. So that should be separate issue.

[Aradiv]

Yes but they are also designed to stay secret to the application and some of the services you listed above provide a way to use temporary/limited tokens if you have to expose them to limit possible attack vectors the others suggest using a proxy that will add the apikey.

For mapbox you even need a secret token which is only visible to you once to get the list of custom maps the user might have defined. unless you want the user to manually specify the mapids.