Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call API key after knitting to HTML instead of embedding key #236

Open
jacciz opened this issue Jun 15, 2021 · 4 comments
Open

Call API key after knitting to HTML instead of embedding key #236

jacciz opened this issue Jun 15, 2021 · 4 comments

Comments

@jacciz
Copy link

jacciz commented Jun 15, 2021
edited
Loading

This is more of a feature request particularly for non self-contained HTMLs. The API key gets embedded inside the HTML document after knitting and would like the option to call the key from a separate file. I do plan on hosting the HTML reports on a public website. My solution for now was to save the js file that the API calls into 'api.js' file and then change the HTML code to call this file. Below is the script.

library(xml2)

files = list.files(pattern = ".html")

replace_api_key <- function(html_filename) {
  h2 = read_html(html_filename)
  
  # Find api key
  g_api <- xml_find_first(h2, "//script[contains(@src, 'maps.googleapis.com')]")
  xml_attrs(g_api)<- c(src = 'lib/api.js')
  
  write_html(h2, html_filename,
             options = c("as_html"))
}
@jacciz jacciz changed the title Call API key after knitting to HTML Call API key after knitting to HTML instead of embedding key Jun 15, 2021
@dcooley
Copy link
Collaborator

dcooley commented Jun 15, 2021

Could you expand a little on what this request is please; I don't quite understand what you're asking.

Is your replace_api_key() function a proposed function for googleway?
And how will the api key get called after the html has been knitted?

@dcooley dcooley mentioned this issue Jun 15, 2021
Open
@jacciz
Copy link
Author

jacciz commented Jun 15, 2021

I'm creating a series of HTML reports that will be publicly available. I do not want the key to be embedded inside these HTMLs. Rather I want to call the key inside the HTML. It's my understanding this is more secure?

I'm saving this js file that gets retrieved via your code below to a dependency folder (lib). This file I called api.js.

header <- paste0('<script src="https://maps.googleapis.com/maps/api/js?key=',
                key, '&libraries=', paste0(libraries, collapse = ","), '"></script>',
                '<script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>')

Then I'm changing the script src to call api.js.

<script src=";ib/api.js"></script>

I hope this makes sense. Or maybe there's a better way?

@dcooley
Copy link
Collaborator

dcooley commented Jun 15, 2021

One solution I often use: If you're hosting the reports on your own server you can 'white list' that server in the API console, so that your key only works on that server.

In your proposed solution, is the key still visible in the source of the html file, or is it completely hidden?

@jacciz
Copy link
Author

jacciz commented Jun 15, 2021
edited
Loading

I'm no web developer but I think the DOM still needs to read the js files. So it's not in the HTML, per se, but you do have to dig deeper to find it. Not sure if possible to encrypt it. But since I have 70+ reports, they are all reading this one file rather than each one having the key embedded. This makes it easier if I were to change/restrict the key.
I'll look into this 'white list', it may be a better solution. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcooley @jacciz