Display actual addresses on participant page #37
Conversation
| @@ -368,7 +376,37 @@ function encodeAddress(address) { | |||
| return formattedAddress; | |||
| } | |||
|
|
|||
| // This number should be kept in sync with the port number in nodemon.json | |||
| app.get(`${PREFIX_API}/reverseGeocode`, async (request, response) => { | |||
There was a problem hiding this comment.
something that hadn't occurred to me earlier - are you essentially allowing anyone to make free geocode requests and spend your money? could i just point my own external code at this endpoint to make geocode requests with your API key, or is this somehow blocked?
There was a problem hiding this comment.
Not quite sure, but I think there's a possibility that could happen. But either way it's done, the geo-coded location always shows up on the participant page. A hacker could still access it there? I'm wondering because I thought this works the same way the place search works. Or is this different because the goecoded address is in the JS frontend?
There was a problem hiding this comment.
the difference is between a malicious user being able to geocode only address that the user has entered vs being able to geocode any arbitrary address. ideally this should be designed such that it's only possible to geocode addresses that are being entered into the db - ie a hacker would have to actually be using your app, and you could easily apply rate limiting, etc.
This PR displays the actual participants addresses.
It's a draft, as I'm awaiting #35 Ved's merge.