Define theme setting for Google Maps API key#187
Merged
matt-bernhardt merged 1 commit intomasterfrom Sep 22, 2025
Merged
Conversation
** Why are these changes being introduced: * We received a bug report for having the Google Maps API key in our repository as a security vulnerability. ** Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/pw-172 ** How does this address that need: * While we disagree that this represents a security vulnerability - the key is sent to all website users in order to load map assets - there is also no need to handle the key directly in our source code. This defines a theme settings field that will store this key going forward, which will also allow us to rotate the key more easily without a code change. * The access granted to our maps key has also been restricted, which results in less ability for users to spot the key (as happened here) and then probe its ability for related APIs that are not needed but were inadvertently authorized. ** Document any side effects to this change: * It is marginally easier for non-developers to manage this key now.
matt-bernhardt
force-pushed
the
pw-172
branch
from
1dfdf2c to
d938276
Compare
djanelle-mit
approved these changes
Sep 22, 2025
djanelle-mit
left a comment
djanelle-mit
left a comment
There was a problem hiding this comment.
This looks good to me!
I was able to confirm that the settings page exists, it stores a value, an incorrect value breaks the maps, and the correct value has the map appear on the location page.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This converts a hard-coded Google Maps key into a configurable theme setting, which will make it easier to rotate and manage the key value without code changes.
Please note that the key is not a sensitive value - it is sent to user agents in order for users' browsers to connect with and load Google Maps content. This change makes the key slightly less visible, but there are separate security restrictions managed for the key to prevent unauthorized use.
Ticket: https://mitlibraries.atlassian.net/browse/PW-172
Developer
Stylesheets
string incremented.
Secrets
Documentation
Accessibility
our guide and
all issues introduced by these changes have been resolved or opened as new
issues (link to those issues in the Pull Request details above)
Stakeholder approval
Dependencies
NO dependencies are updated
Code Reviewer
(not just this pull request message)