4 Replies
      Latest reply on Jun 28, 2019 11:41 AM by theonlyvicki
      jimmychen Level 1 Level 1 (0 points)

        Hi, I have a website using mapkit js and it seems people are using my api code to do massive lookup of the geocode service.

        I'm not sure how they did it, I tried to generate a new api code every 20 minutes and they expires in 20 minutes, didn't work, so I tried to generate a new token every 3 minutes and they expires in 3 minutes and it still didn't prevent the unathorize usage. I also added my website so the api generated is supposed to work only on my site and it still didn't work. Anyone has idea why that happens? Or if there is any way for mapkit js to prevent massive lookup of the geocode service from the same ip?

        • Re: How to prevent unauthorized usage
          KMT Level 9 Level 9 (14,355 points)

          Define 'massive lookup' - I'd wonder if Apple is failing to enable throttling, etc.

           

               >added my website so the api generated is supposed to work only on my site and it still didn't work

           

          Might help to show the code that isn't working...

            • Re: How to prevent unauthorized usage
              jimmychen Level 1 Level 1 (0 points)

              Hi, my code is working, but it appears that someone is stealing my api code from view source my web site and then manage to do massive lookup. By massive lookup, I mean he either found a way to call the geo service 3,000 times in an hour or something and so my usage hit the 25,000 daily limit quickly.

               

              Here's the code that I use to generate the api code using php.

              <?php

              /**

              * Copyright 2018 Includable

              * Created by Thomas Schoffelen

              */

              /**

              * Class JWT

              *

              * @package Mapkit

              */

              class JWT

              {

               

                  /**

                   * Generates a JWT token that can be used for MapKit JS or MusicKit authorization.

                   *

                   * @param string $private_key Contents of, or path to, private key file

                   * @param string $key_id Key ID provided by Apple

                   * @param string $team_id Apple Developer Team Identifier

                   * @param string $origin Optionally limit header origin

                   * @return string|false

                   */

                  public static function getToken($private_key, $key_id, $team_id, $origin = null)

                  {

                    $header = [

                          'alg' => 'ES256',

                          'typ' => 'JWT',

                          'kid' => $key_id

                      ];

               

                     $body = [

                          'iss' => $team_id,

                          'iat' => time(),

                          'exp' => time() + 240  //expires every 4 minutes

                      ];

               

              $origin = "https://testwebsite.com";

               

               

                      if($origin) {

                          $body['origin'] = $origin;

                      }

               

               

                      $payload = self::encode(json_encode($header)) . '.' . self::encode(json_encode($body));

               

               

                      if(!$key = openssl_pkey_get_private($private_key)) {

                          return false;

                      }

               

               

                      if(!openssl_sign($payload, $result, $key, OPENSSL_ALGO_SHA256)) {

                          return false;

                      }

               

               

                      return $payload . '.' . self::encode($result);

                  }

               

               

                  /**

                   * URL-safe base64 encoding.

                   *

                   * @param string $data

                   * @return string

                   */

                  private static function encode($data)

                  {

                      $encoded = strtr(base64_encode($data), '+/', '-_');

               

               

                      return rtrim($encoded, '=');

                  }

              }

            • Re: How to prevent unauthorized usage
              theonlyvicki Apple Staff Apple Staff (40 points)

              Hi Jimmy, could you file a ticket about this via Feedback Assistant https://feedbackassistant.apple.com/welcome to open a direct line of communication with Apple on this? Also if you haven't tried this already, you might try revoking this key and using a new key.