-
-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: use google maps api to support secure requests #311
Conversation
This PR would introduce a breaking change for users who use the Google provider, since it requires that the Google JS API needs to be loaded into the DOM before the provider object can be instantiated. The recommended implementation would be something like:
Unfortunately, that means that accepting this PR would be a major version bump. Of course, I'm open to other suggestions of how to handle this scenario. |
@smeijer just a friendly "ping" to see what you think about this approach. I don't mean to be a bother - I sincerely appreciate all of your hard work on this repo and want to be respectful of your time - but I do think that this is an important fix, as it will help users of the Google provider to protect their API keys. It's not quite ready for merge, but I think it's close, I could use your perspective on it. I would be happy to arrange a pairing session with you to talk this through, I'm sure we could knock it out together pretty quickly. |
@smeijer thank you so much for continuing to maintain this project! I'm still really interested in getting the work in this PR merged - is it something you think you'll be interested in? I'm sorry that I don't quite have the confidence as a frontend dev to "finish" it myself, it would be great if we had the chance to collaborate on it. I think it's close, I just can't quite test it correctly, and I'd like the guidance of someone who's a more experienced frontend dev. |
ce19809
to
312a771
Compare
Hi! Sorry I've let you hanging like that. I've fixed the I'll have to continue the work later, as the Google Provider currently doesn't run for me. I think it's just the current state of this pull, but I need to take another look. When I run
|
@smeijer No worries! I am sure that you're very busy, and I sincerely appreciate all of the time and expertise you've dedicated to this project. In regards to the error you're getting, I believe that this is because of the way the
This way, it ensures that the script from Google is loaded before the user could potentially call one of its methods. My apologies for not documenting that yet, I didn't want to go too far down this rabbit hole in case you had a different way that you would want to handle this. Maybe there's a more elegant solution? I realize that the way I've set it up now creates a breaking change for current GoogleProvider users, but again, I think it's worthwhile, so as to make use of "correct" API and to allow users to restrict the use of their keys - I wrote a bit about that in some of the comments in the thread #269 I'm curious to hear your thoughts on this, let me know what I can do to help this along. |
Hey @darrenklein, since this would be a breaking change for current users of Google Provider, you could probably just treat this as an entirely new provider |
That's an interesting idea - but I'd really like the repo owner's guidance on the best way forward with this. |
I'd love to see this one going through @darrenklein ! |
@kstratis If what I've got here is roughly the right way to go, then yes, I'd love to see the work get finished and merged as well - but I think we need input from the repo owner to really finish this properly, as this would most definitely be a significant breaking change for current Google provider users (it will not only require code changes, but also possibly changes to Google account settings, all of which will need to be documented) - I've taken this as far as I feel comfortable without his guidance. If this is important to you, please consider pinging the repo owner. |
@@ -70,7 +70,6 @@ | |||
"amusement_park", | |||
"establishment", | |||
"point_of_interest", | |||
"premise", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that this value is no longer a possible option in the Google response, should double-check though.
This one is a long time coming and -imho- truly important since (without it) Google provider is effectively broken. @smeijer What's actually left to do here to move this forward? |
@darrenklein, @kstratis I've added you both as collaborators on this project, so you'll be able to create branches here, and merge pulls - like this one - into main without me. Please take this forward as you seem fit. I'll add a github action here later this week, so that any merged pull request also automatically gets published to npm. |
Regarding the breaking change, there are ways to make the new provider work in the old way, unless a The alternative would be to rename the current provider to What are your thoughts? I'm totally cool with having a breaking change for the sake of security. |
@smeijer thank you very much for the opportunity - if we can get this finished, I do hope that you'll give it a look over and weigh in with any thoughts you have. @kstratis if you are interested in working on this, I would really appreciate the opportunity to collaborate. I'm not a super-strong JS/TS developer, and it's also been a few months since I really looked at this, so I'm a little rusty on what I was doing here. If you feel up to it, that would really help a lot - I see you're in Greece, and I'm in northeastern US - maybe we could find some time to pair? |
Thank you @smeijer !
Could you plz elaborate? What do you mean? What's this option about? @darrenklein Let's push this over the finish line. In the next few days I'll be looking at the code and try to complete your todo list. |
Feel free to ping me (@meijer_s) there as well, I'm much more responsive on Twitter than on github, due to the overflow in notifications. Regarding backwards compatibility, I was thinking in the line of renaming the current provider to I'm not sure about naming it |
Thanks all - unfortunately, I am not a Twitter user... but ok don't worry, we'll figure out a way to communicate. Do we feel like maintaining backwards compatibility is the right idea? In most circumstances, I'd say yes, but this is a bit of a unique situation. The issue is a little deeper than just the security aspect - it's also that Google advises against using the current endpoint for client-originating requests (if I recall, I don't think they specifically say why that's the case - but they indicate that the current endpoint is for fully-formed server-originating requests, as opposed to dynamic client-based requests). To be clear, I've personally never run into any problems with the current configuration of the Google provider (aside from the security aspect), but I haven't used it a lot, so I don't know, maybe it can be problematic on a high-traffic application. |
d0df903
to
2a6bebf
Compare
@darrenklein I pushed some commits earlier on and addressed a couple of minor issues and comments.
I already mentioned in my comment earlier that since a method is declared as
I've managed to test it against my app and works wonderfully. Here's how I did it:
Follow the steps above and once you get a clean working directory do this:
This way you'll effectively be creating a tgz file under your Now switch to your own app, open the package.json and replace the
run
I'll update the docs. Could you plz have a look at the code again? Are the tests good to go? |
4069c70
to
e93114b
Compare
d56fd44
to
4ccbfe1
Compare
I'm currently trying to fix the github action, which keeps complaining about the Specifically these three: https://github.com/smeijer/leaflet-geosearch/pull/311/files/d58c3634d632fe8fa002c2a28dcb827cd2d9ac6f..9276070cc5a7de441707ef26bae3e0c9e37d0f73 The GoogleMaps script is now loaded via the constructor, and the search action only waits if the loading isn't done at the moment the user starts typing. That way, the first search is way faster. I've added the |
return { results: response }; | ||
}, | ||
) | ||
const geocoder = this.geocoder || (await this.loader); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Very clever!
🚀🚀🚀
Love where you've taken this. To be honest I was afraid that this might blow up but to my surprise it went through! Looks like the instance returns immediately and the async call carries on uninterrupted until called in
This thing caused me a few nightmares a couple days ago. Super glad to know that you guard against it! Overall, I absolutely love the direction this thing took! I definitely picked up a few things on the way! @darrenklein Seems like the separation you talked about here .... is happening! 🙌 |
7618154
to
6453ded
Compare
cbccd3d
to
dbdad1c
Compare
That's exactly what's happening. The async call isn't "awaited", so it just runs in the background. By the time the user has focussed the input and pressed a key to search, the promise has already resolved, and the callback in the |
While I was writing that message, all flags turned green. Let's go! 🚀 |
@all-contributors please add @darrenklein for code, test, doc |
I've put up a pull request to add @darrenklein! 🎉 |
@all-contributors please add @kstratis for code, test, doc |
I've put up a pull request to add @kstratis! 🎉 |
🎉 This PR is included in version 3.7.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
I can't thank you two enough for what you've done here. This change would not have landed if it weren't for your endless time, effort and patience. Thank you so much! Much, much appreciated. |
@smeijer Thank you so much for the opportunity to contribute to this project. I really appreciate all of your hard work over the years, it is an honor to be a part of this! And, of course, thank you very much for your thoughts and contributions on this piece of work. @kstratis Could not have done this without you! Your expertise and hard work were exactly what was needed here, no way was I ever going to figure all of that out! It's been a pleasure working with you on this, hopefully again some day (both of you)! |
@IsabellaS09 good news!!! ⬆️ |
This is still a work-in-progress, but I believe that it generally fixes the issue outlined in #269.
In brief summary -
A Google Maps API key provides a user with two means for geocoding address and location data -
This PR upgrades this repo by shifting Google Maps geocoding support from the first method to the second.
In order to use this service, the owner of the Google Maps API key needs to make sure their key is allowed to make use of both the Maps JavaScript API and Geocoding API (typically, a new API key is unrestricted by default and would be able to access these services and more.
There's probably a lot left to do before this is merge-ready, but here are a few things off the top of my head
TODO -
GoogleProvider
class no longer needs to implement anendpoint
method, but I'm not sure how to remove it without TypeScript complainingGoogleProvider
'ssearch
method looks to me to be in the right format when compared to other providers, I haven't yet been able to successfully test it in the context of an app. When trying to use a local copy of this repo, I get errors from theaddMarker
andcenterMap
methods - that's not specifically a symptom of this branch, it happens if I use a local copy of the main repo as well (and with a different provider). I haven't yet been able to figure out why that would be.I would gladly welcome any help and feedback needed to get this PR in ship-shape!
Many thanks to @twillard22 for helping me crack some TS errors!
Edit - just documenting this again here to be thorough. The work I've done in this PR needs to be instantiated by a user via something like