How to push an account for using Yandex Maps API services to a neighbor, or why does an IT giant need quality control

From June 10, 2019 (and technically from November 2019 ), Yandex stopped supporting anonymous use of the JS API & HTTP Geocoder services - tariffed API requests (search, geocoding, panoramas, etc.) stopped working. But Yandex did not provide adequate billing and tracking of requests. If it’s interesting how to shove the bill for geocoding onto the giants of Runet (the listed partners on the service’s home page ), as well as how tracking requests is done “wisely”, I ask for cat.



Why did this article appear
I would not have written this post if the respected valshavel had not rejected my comment on the article “How we implemented WebAssembly in Yandex.Maps and why we left JavaScript” . The question was asked "why."

Writing Yandex cards for technical support - from experience over 10 years - is not effective, the feeling that there is only one developer who was pulling the whole project. In fact, instead of Sberbank, a gold share had to be given to this developer and a couple more percent of the ordinary ones.



"How it works" with the JS API maps



The company or developer is registered in the personal account of Yandex developers. And creates a key (similar to a UUID). The key does not have any settings (Domain, limits, etc.) and serves only to separate tariffication.



On the page where map functions are required, a JS script and API key are inserted : (URLs for the “paid” version may differ).



<head> <script src="https://api-maps.yandex.ru/2.1/?apikey= API-&lang=ru_RU" type="text/javascript"> </script> </head>
      
      





Have you noticed? Not? Watch your fingers:



  1. The key is public. (ALLO! What nafig billing by public API key?).
  2. There are no settings on the key (Bindings to a domain, service, limits).
  3. Anyone can take your key and use it for any purpose (this is not prohibited by law, you yourself publish it on your page and the random hash is not subject to copyright).


Further, the article could not be written. But we are for good and for our loot, considering that by placing this key - it is spent by third parties.



Let's think about what needs to be done to dad (not biological, but still) Runet (and that hero-developer) so that the children do not suffer:



  1. One card - one key (https://www.mapbox.com/).

    The key refers to a specific card. In the key settings, allowed domains are registered (do not forget about wildcard). By key, geocoding through the HTTP API is prohibited.
  2. Query Limits.

    I don’t want to get money because of intruders.
  3. Key Authorization / Private Key.

    I want a key for my services that use geocoding and a separate billing for them. I don’t want June to get into LK and take my key for a public card.


While this is all missing - anyone can take your key and geocode in pleasure.



All good and take care of your keys =)



All Articles