Skip to main content

Private Maps

The Private Map feature is available to Mappedin Pro and Enterprise customers. Refer to the Pricing Page for more information.

Overview

When a Mappedin Map is set to Live, it is accessible to the public. It may be required to restrict access to a map for security or privacy reasons. This can be achieved by leaving the map in Draft mode and configuring the Mappedin Viewer to authenticate using an access token. The access token is generated by an authentication proxy that is deployed within your own infrastructure and can be protected by any authentication method, such as requiring the user to be logged in or connected to a VPN.

Authentication Flow

The following diagram explains the authentication flow when using a private map.

  1. A user opens Mappedin Viewer to load a map.
  2. The Mappedin Viewer attempts to access the authentication proxy to request an access token using the provided URL.
  3. An authentication method of your choice is used to validate the user and grant access to the authentication proxy.
  4. A request is made to the authentication proxy to generate an access token.
  5. The authentication proxy uses Mappedin API Keys to request an access token from the Mappedin API Key REST API.
  6. The authentication proxy receives the access token and returns it to the Mappedin Viewer.
  7. The Mappedin Viewer uses the access token to download the map from Mappedin's infrastructure.

Authentication Diagram

When using this method, the Mappedin API Key used to generate the access token is stored securely in your own infrastructure and not exposed to the user. The access token is only valid for a short period of time.

The Mappedin Viewer will cache and reuse the access token for the duration of it's validity period. It will not request a new access token from the authentication proxy until the current access token expires.

Authentication Proxy

The self hosted authentication proxy is used by the Mappedin Viewer to request an access token. It is passed to the Mappedin Viewer as a query parameter:

https://app.mappedin.com/map/<MAP_ID>?authUrl=<YOUR_AUTHENTICATION_PROXY_URL>

The authentication proxy URL must be whitelisted by Mappedin before it can be used. Please contact Mappedin Support to whitelist your URL.

The authentication proxy performs the following steps:

  1. Receives an HTTP POST request from the Mappedin Viewer.
  2. Uses a Mappedin API Key and secret to request an access token from the Mappedin API Key REST API.
  3. Returns the access token to the Mappedin Viewer.

Authentication Proxy Examples

The following examples show how to implement an authentication proxy using various technologies. These proxy examples do not authenticate the user or prevent someone from accessing them. Any authentication and or access control method can be implemented in the proxy or in another service running in front of it.

Node.js express

The following example demonstrates how to implement an authentication proxy using Node.js and the express framework.

import express from "express";
import cors from "cors";

const app = express();
const port = 3000;

app.use(
  cors({
    origin: "*", // Be more specific in production.
    methods: ["POST"],
    allowedHeaders: ["Content-Type", "Authorization"],
  })
);

app.post("*", async (req, res) => {
  const response = await fetch(
    "https://app.mappedin.com/api/v1/api-key/token",
    {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        key: "YOUR_API_KEY",
        secret: "YOUR_API_SECRET",
      }),
    }
  );
  const data = await response.json();
  return res.json(data);
});

app.listen(port, () => {
  console.log(`Sandbox listening on port ${port}`);
});

ngnix Reverse Proxy

The following example demonstrates how to implement an authentication proxy using an nginx reverse proxy.

    location /token {
        proxy_pass https://app.mappedin.com/api/v1/api-key/token;
        proxy_method POST;

        proxy_set_header Accept application/json;
        proxy_set_header Content-Type application/json;

        proxy_ssl_server_name on;

        proxy_set_body '{"key": "${MAPPEDIN_API_KEY}", "secret": "${MAPPEDIN_API_SECRET}"}';
    }

Cloudflare Workers

The following example demonstrates how to implement an authentication proxy using Cloudflare Workers.

export default {

  async fetch(request, env, ctx){

      const response = await fetch(
        "https://app.mappedin.com/api/v1/api-key/token",
        {
          method: "POST",
          headers: {
            "Content-Type": "application/json",
          },
          body: JSON.stringify({
            key: "$KEY",
            secret: "$SECRET",
          }),
        }
      );
      return response;
  }
}

AWS Lambda

The following example demonstrates how to implement an authentication proxy using AWS Lambda.

export const handler = async (event) => {
  const response = await fetch(
    "https://app.mappedin.com/api/v1/api-key/token",
    {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        key: "$KEY",
        secret: "$SECRET",
      }),
    }
  );

  const token = await response.json();
  return token;

};