I’m just doing the local weather challenge. It suggests using the Dark Sky API, but the Dark Sky API page clearly states:
Your Dark Sky secret key. (Your secret key must be kept secret; in particular, do not embed it in JavaScript source code that you transmit to clients.)
And doing it solely on CodePen means that is exactly what is going to be done. As it was when I looked at another challenge in review. This does not seem at all appropriate, when expressly not allowed by Dark Sky, yet it seems to be what is recommended by the challenge, and indeed is what people are having to do without any back-end coding experience to put it on a server (it being a front-end challenge).
For my challenge I am setting up a PHP script on my site to handle the API call, but I wanted to raise this issue.
These are FREE APIs that they’re giving left and right anyway, so no harm in making them publicly viewable.
Now, if you paid for this API and you have a restricted monthly quota, then I agree it should be kept private. + you need to be communicating via SSL end to end + you need to whitelist your site so only your authorized domains can use your API.
Is this an offical view from Dark Sky or just your personal opinion? When their page clearly states “Your secret key must be kept secret; in particular, do not embed it in JavaScript source code that you transmit to clients.”, I hardly think this can be the case. If it is, it really needs stating on the challenge page.
Just because it’s free, does not mean that it’s ok to distribute it when specifically requested not to do so. There can be many reasons why, and that is the choice of Dark Sky. They are not given away “left and right” - they require a verified email address and that is then limited to 1000 a day.
I don’t work for Dark Sky and yes, just my opinion. But you can search the forum, this has been discussed several times.
Yes, ideally a client browser calls a server-side script (Keys stored in environment variables), which makes the calls to the API service, and returns only the result to the user’s browser.
Now, if you have the browser making the API calls directly via javascript, and the student’s code is stored at codepen, then really everyone can see the API key.
I guess the other option is for new learning students to setup their own server, run server side script, get their own SSLs, and really hide this “weather API” because it’s so important. Other people may try to steal their API keys and they’ll hit their 1000 limit pretty soon.
Well I did that for my challenge (that is currently in progress). It wouldn’t work to expect all learners to do that, since it’s a front-end certificate that it counts towards, and that would not be front-end work.
I would be happy for other learners to use the back-end code I wrote, and perhaps in the future some other solution can be found. It is set up to work on CodePen and check that the origin is also CodePen, by providing for and checking the appropriate origin headers. I’m happy to maintain it if any problems occur for others using it, and welcome suggested improvements. It can be accessed using something like the following:
Google solved this API key security problem (even though your Google API key is viewable on the javascript code, client side) by implementing restrictions via http referrers or ip address, etc.
For Google’s paying customers, they’re using ClientIDs and Project IDs instead of API keys.
