Setting API key as "test" allows access to all services

Question

Setting API key as "test" allows access to all services

ahmedalshamary opened this issue 4 years ago · 1 comments

I am not sure if this is intended functionality but I noticed that if you set the key as test you are able to get access to any of the services that are publicly hosted. Reading through the documentation it seems like you need to request access, so I am not sure if this is just a test endpoint for people to play with or if this is a bug.

If you click this url it works and the geolocate returns a response.
https://location.services.mozilla.com/v1/geolocate?key=test

Answer 1 · 2021-01-04T21:27:32.000Z

Thanks for raising this issue @ahmedalshamary!

I found a few reference to the test key in the project history. In #86 (Jan 2014), it is mentioned as a way to try out MLS in Firefox. However, the current method to set geo.provider.network.url uses the key assigned at build time:

https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%

Another mention is for the rate-limiting feature in #214 (May 2014), which says "we could start adding a limit for the publicly known keys like test."

My guess is that this was a publicly known key that was kept to avoid breaking things for early adopters. I'm setting the API limits to 0, and any users can contact us to re-apply for an API key.