Expo Prebuild Secret Key

[thomas-coldwell]

Hi, I've just started setting up MapBox in my Expo app (following the linked guide here - https://rnmapbox.github.io/docs/install) and I apply the config plugin for it via an app.config.ts file as shown below so that I can store the MAPBOX_SK in a .env file that is not checked into source control. This works great, however, once npx expo prebuild is ran this then spits the SK out into the native Podfile and gradle.properties files which I want to keep checked into source control - the presence of the SK in these files now prevents me from keeping these in source control without leaking the secret key out.

import { ExpoConfig, ConfigContext } from "expo/config";

module.exports = ({ config }: ConfigContext): ExpoConfig => {
  return {
    name: config.name!,
    slug: config.slug!,
    ...config,
    plugins: [
      ...(config.plugins ?? []),
      [
        "@rnmapbox/maps",
        {
          RNMapboxMapsDownloadToken: process.env.MAPBOX_SK,
        },
      ],
    ],
  };
};

My question here is what is the correct approach using Expo to keep the secret key safe here? On the iOS and Android tabs in the installation guide it recommends placing the SK into the global gradle properties file or for iOS in a .netrc file (this is also recommended by the official mapbox guides e.g. https://docs.mapbox.com/ios/maps/guides/install/#configure-credentials).

Cheers! 🙌

[mfazekas]

@thomas-coldwell you can use .netrc and global grade properties for mapbox tokens. But those will not work if you use eas remote builds. I guess your's is a niche use case, where you want to use expo prebuild, you don't use eas and you want to check in the io/android to your CI and you don't want secrets there.
Not sure what happens if you don't specifiy the download token in expo config.

Closing this as it's not something we plan to support, but we still accept pr for it.

[thomas-coldwell]

Hey @mfazekas ! Thanks for the quick reply here 🙌 In my setup I still want to use EAS to do remote builds, but for development builds I want to do them locally on my machine and just generally keep the native project files checked in. Looks like if I pass an empty object as the second param for the config plugin (e.g. no download token specified), then it does generate everything correctly and at that point I can use a .netrc file and global gradle.properties file to specify the key and then on EAS I could do a check in my app.config.ts to pass the token in there to build properly in the CI environment.

Again thank you for you're help and maybe all there needs to be is a small comment in the docs that you can optionally not specify it and use the iOS and Android ways of passing this key in - happy to write that in a PR myself or if you'd rather consider that internally :)

[mfazekas]

@thomas-coldwell thanks much I'm not sure about the docs. My concern is keeping the docs simple, this is infomation 99% of users don't need, so we can put it into an advanced guide, not sure.

[JordanHe]

@thomas-coldwell are you able to explain how you set up your project so that you can make a preview or production build with eas but making sure the mapbox secret key isn't exposed anywhere? not quite sure how to do it correctly.

[nixolas1]

@mfazekas I think this is less of a niche, as it seems the token is included in output bundles of normal (non-prebuild) EAS builds of our apps. So I think it affects all apps that use Expo with EAS builds.

Checked the Android apk version, and the secret key was included in the /assets/app.config file.
I don't feel like it's a big issue, as the scopes are for download only, but still not perfect.
Maybe a bit similar to Sentry's issue with Auth token? They ended up reading directly from .env file instead of app.config I think.

We define it like this, is there a correct way to do it?:

[
      "@rnmapbox/maps",
      {
        RNMapboxMapsImpl: "mapbox",
        RNMapboxMapsDownloadToken: process.env.MAPBOX_DOWNLOAD_TOKEN,
      },
    ],

[mfazekas]

@nixolas1 Thanks for the heads up. Yes we should probably clarify this in the Doscs that this way the token is leaked via apk. And and implement and document a way to use eas/secrets envs. It will make expo config a bit more complicated, as eas secrets doesn't work on local builds.