I have reviewed every topic that seems relevant and I believe I am having a problem because the configuration in which I am attempting to use this service is different from any of the other postings.
I can get acceptable Reverse GeoCode results only without a Key.
But acceptable is not optimal. The Guide documents filtering which would be applied on the server side to reduce the number of results I would receive to check to determine which result is 'best'.
I do not believe that the ability to get server-side filtering is a Premier Service; I do not have a Premier License.
No matter whether I use a current Browser Key or Server Key, every request will result in REQUEST_DENIED status.
At console.cloud.google.com/apis I have enabled "Google maps JavaScript" and just by reading all the other postings, I have added, probably unnecessarily, and with not change in the result: "Google Place API Web Service".
My only remaining guess is that my request is being denied in relationship to the terminology of the service agreement requiring that this service include the display of a Google Map. My application DOES display a Google Map, but I do not see how to let the Google Maps Server know that. May API stack is using the Javascript API with XML results requested via this URL: "http://maps.googleapis.com/maps/api/js?language=en&libraries=places", and the GeoCoding requests [forward and reverse] work fine via this URL:
http://maps.googleapis.com/maps/api/geocode/xml? but adding a key="" in order to take advantage of server-side filtering is always denied.
What am I missing that needs to be passed in the request in order to have my api key honored and for me to get a better result set consuming less network bandwidth?
As you use Geocoding API you have to enable it in your project. You have to generate a Server API key and use it with your request.
The official documentation covers this subject:
https://developers.google.com/maps/documentation/geocoding/get-api-key
For Maps JavaScript API you have to use a Browser API key:
https://developers.google.com/maps/documentation/javascript/get-api-key
Related
Firebase hosting has been excellent, up until now. It is very fast and very cheap. Alas, there is absolutely no access to any server-side activities such as you normally would with PHP.
I'm using Opayo 3D Secure to process payments. Part of this involves showing an OPayo webpage inside an iframe to capture bank card details. This then returns another URL from a bank that issues a question to the card's account holder. When complete, the bank sends a POST message to my website with two parameters that I then use to complete the transaction. I can see these parameters in Chrome's Devtools but I have no idea how to access them using Javascript.
Here are the returned values (cres and threeDSSessionData):
It is not possible to use fetch() or XMLHttpRequest() to get the response. The URLs provided must be presented using iframes.
Obviously, Firebase Hosting is passing the HTTP headers and body back to the website, as can be seen from the Devtools, but how do I get hold of them?
When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available.
By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation.
So I took two extra steps to secure the key:
Added HTTP referrer restriction to allow requests from my domain only.
Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.
Added Token Service API. This is needed for refresh tokens to work and keep the authentication.
My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?
I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic.
In GCP,
Go to Monitoring -> Metrics Explorer
Click 6W in the time range above the graph
Resource Type, start typing consumed_api and select it
Metric, choose Request Count
Group By, type credential_id, select it, then type service, and select it
Aggregator, select sum
By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service.
You can use Filter to filter by credential_id if the results are too noisy.
By default the key has no restrictions, so it's prone to quota
stealing for every API enabled for that project.
This is indeed possible and I am able to make e. g. Google Maps API call with the auto generated Firebase API key.
Such preconfigured behaviour was certainly unexpected and I am now experimenting with the restrictions as per the extra steps described in the original question.
I have been studying the DriveAPI for a while now and can't seem to find a simple way to get it to work just for MY needs only...
I would like to use the DriveAPI only with just the REST API (HTTPS).
There are many things like token, clientid, apikey, secrets, etc.
All I need, is to search MY OWN GDrive files (FULLTEXT CONTAINS) and get a result from the API but I can't get it to work.
Please remember, this is for my own needs only and I would like to bypass the verification (login) window and get some kind of token, that lasts forever, so I can implement this in my own tool.
So, how can I authenticate and use the DriveAPI with just plain HTTPS?
My efforts so far:
I have already made a client ID and a client KEY for a sample project in the dashboard. I have also an Google Drive API KEY. From this point, I don't really know where and what to send.
As I mentioned in my comment, there is no "bypass" for the OAuth 2.0 authentication (that's why there is authentication enforced in the first place). Have you done any coding for this that you can share? For most REST API's OAuth 2.0 authentication is required. Your application must be able to request the token and use it to make the requests.
Google API's use Google Identity service to provide the tokens. In the following document there are many examples of how this implementation should be done in different programming languages:
https://developers.google.com/identity/protocols/OAuth2WebServer
Is it possible to either turn off the api explorer completely or limit the access to it?
I noticed some logs in my app that come from failed requests executed from a browser. My api is only consumed by an Android app so the only place where they can come from is the api explorer. Also the api access is limited to 1 web and 1 android client id.
Unfortunately no. The API explorer works by using the Discovery Service associated with your API, which is not actually part of your backend, so you can't specify auth or visibility for those URIs.
The list method from the Discovery service is used to generate the list on the APIs Explorer app using your app as base:
discovery.apis.list:
your-app-id.appspot.com/_ah/api/discovery/v1/apis
When someone clicks one of the APIs from the list, the full discovery document is retrieved for that apiName and apiVersion using the getRest method from the Discovery service:
discovery.apis.getRest:
your-app-id.appspot.com/_ah/api/discovery/v1/apis/{apiName}/{apiVersion}/rest
If you are looking for ways to prevent the executing of the API, check out Cloud Endpoints: Control who can execute API through API Explorer
endpoints makes auth easy and you can get the current user. You should use auth to ensure people don't mess with your private apis - otherwise people could trace what kind of post or get requests you're sending anyway - auth is always a good idea rather than trying to keep your apis secret.
If you're building a secret product and you don't want your competitor to find out, you could perhaps use some obfuscation method on the backend and on your client which makes the apis unreadable.
Also a user messing with your apis shouldn't break your database - or if it does - it should only break it for the user that was being foolish. Having logic in your client for how apis are used so that the backend doesn't break is a bad idea - the backend apis should take care of themselves and not worry about how or why they are used and who by for what purpose.
I'm developing a Web Application (based on Google Maps API V3).
Whenever an user clicks on a map, a marker is placed on that point and
an "human readable" address is resolved (by the geocoding service). In
this way I can put in an infowindow, attached to that marker, the
corresponding address.
The question is: Can I resolve just one time that address and store it
on an external DB? Is this practice compliant with your terms of
service?
Regards
The relevant section of the TOS is
10.1.3 Restrictions against Data Export or Copying.
(b) No Pre-Fetching, Caching, or Storage of Content. You must not pre-fetch, cache, or store any Content, except that you may store: (i) limited amounts of Content for the purpose of improving the performance of your Maps API Implementation if you do so temporarily, securely, and in a manner that does not permit use of the Content outside of the Service; and (ii) any content identifier or key that the Maps APIs Documentation specifically permits you to store. For example, you must not use the Content to create an independent database of “places.”
This precludes the use of reverse geocoding.
no, this is forbidden by the terms of use by google.
we would have done it your way in another project, but we had to change because of the terms of use.