SoundCloud: API key in client-side script - client-side

The SoundCloud API docs (http://developers.soundcloud.com/docs/api/sdks#javascript) suggest to provide our client_id in the client-side code:
To start using the SDK just add this script to your HTML and
initialize the client with your own client_id and optionally your
redirect_uri in case you want to use authentication:
<script src="//connect.soundcloud.com/sdk.js"></script>
<script>
SC.initialize({
client_id: "YOUR_CLIENT_ID",
redirect_uri: "http://example.com/callback.html",
});
</script>
If we expose our client_id as suggested, it can be easily added to requests made by other apps.
Is it still secure to do so?
Isn't our app going to be rate limited if some other app sends too many requests using our client_id?

Related

Firebase JS Issues with Netskope

My company has implemented Netskope for security and it is causing issues with my Firebase web app. I have verified Netskope is the cause of problem by having our security admins disable it on my PC. When that was done, the web app performs as expected. With Netskope enabled, users are able to log in but can't retrieve documents (and I'm assuming can't edit or delete either). Instead, there is an error in the console that says
Could not reach Cloud Firestore backend. Backend didn't respond within 10 seconds. This typically indicates that your device does not have a healthy internet connection at the moment.
Some code:
var app = firebase.initializeApp(config);
var db = firebase.firestore(app);
var docRef = db.collection("/annual meeting/Events/" + selectedDay).orderBy("time").get().then(function(querySnapshot) {
querySnapshot.forEach(function(doc) {
eventIds.push(doc.id);
eventDocs.push(doc.data());
});
addEventsToList();
})
My security people are asking for specific URLs so they can investigate. I've sent them https://console.firestore.google.com/project/*project-name*/firestore, but I'm not sure what else to send them. They seem to think it's either a certificate pinning issue or Firebase not liking Netskope's egress IPs. They need specific URLs to redirect, but I'm not sure what to give them.
According to the Firestore documentation, the client libraries and APIs use the firestore.googleapis.com service to communicate with Firestore.
To call this service, we recommend that you use the Google-provided client libraries. If your application needs to use your own libraries to call this service, use the following information when you make the API requests.
If your security department is requesting URLs to investigate, you can try with the REST endpoints of this API. Inside the documentation, there is an API test app included (API Explorer). This feature lets you make requests to the service with appropriate authentication. For example the following endpoint is used to retrieve documents from Firestore:
https://firestore.googleapis.com/v1/{name=projects/*/databases/*/documents/*/**}
The request parameter name for this endpoint when using the API explorer would be:
projects/projectID/databases/databaseID/documents/documentPath
projectID = your project ID
databaseID = for Firestore use: “(default)”
documentPath = path of the document to retrieve (collection/document/...)
Additionally, I found other questions related to Firebase and Netskope in Stackoverflow and GitHub

new Google Identity Services JavaScript library - how can i make authorised requests to google api?

according to google:
The older Google Sign-In platform library:
apis.google.com/js/platform.js, and Google APIs client library for
JavaScript: gapi.client, are no longer required for user
authentication and authorization. They have been replaced by a single
new Google Identity Services JavaScript library:
accounts.google.com/gsi/client.
with the older library you could both authenticate users to your site and you could make authorized requests to google api such as calendar.
there is no information in the docs, as far as i can see, reagrding how to make authenticated requests to google api's such as calendar.
is the new api only replacing the old for apps that only do sign in.
am i missing a way of using the new api to make authenicated requests.
FYI:
On Feb/15/2022, Google announced the availability of Authorization in Google Identify Service SDK:
https://developers.googleblog.com/2022/02/announcing-authorization-support-for.html
here is the docs:
https://developers.google.com/identity/oauth2/web/guides/overview

How to send Firebase Auth Token ID from Mobile Clients (iOS & Android) for HTTPS triggers on Cloud Functions?

Ok not an expert on server side coding and stuff but have a basic understanding. Here is my question;
I have firebase triggers setup on cloud functions
Now there is a requirement that I need to communicate with external servers to retrieve some other data
So I use HTTPS triggers and I followed tutorials and managed to use express and other middlewares to get the job done
The problem is, I don't think I understand how these HTTP triggers are authenticated. I obviously want only the authenticated users to make a call to these end points and my users are either iOS or Android users.
What i have already found out:
I followed the code sample in this link: https://github.com/firebase/functions-samples/blob/master/authorized-https-endpoint/functions/index.js but I have one question
It says The Firebase ID token needs to be passed as a Bearer token in the Authorization HTTP header like this: Authorization: Bearer <Firebase ID Token>
Is this token passed automatically from iOS and android clients or do I need to manually call some FirebaseAuth get token function in the mobile SDKs and manually created this authorization bearer as a part of my request url?
You need to manually call a Firebase API to get a token to pass to your backend.
This process is documented fairly thoroughly in the documentation for the Firebase Admin SDK, which you would use to verify ID tokens. That link will give you examples for Android and iOS.
The code sample you linked to also has client code for web that does the same.

Firebase Auth and Google Calendar Creation

Is it possible to use Firebase Authentication, to authenticate my iOS/Web/Android users to my platform, and then for each user to create a google calendar and sync them with the rest of the users through Firebase?
This is the first time that I'm dealing with something like this and I'm honestly confused, the documentation on the API's hasn't helped me thus far.
You may want to check this thread wherein it was stated that:
There is no way to currently do this with the current SDKs that I am aware of, unless you roll your own Google OAuth flow using custom authentication.
Reading through it, one encountered problem is with the access_token.
When login to Firebase using Google credentials, it gives you back the Google access_token, which is great. Unfortunately, that token only last for an hour and you're NOT given a refresh token, which means while your app is still authenticated against Firebase after an hour you can no longer access the Google APIs without forcing the user to login again.
As a workaround, you can try handling the authentication outside Firebase
using standalone Auth client which can be loaded with the JavaScript client's load function:
<script src="https://apis.google.com/js/api.js" type="text/javascript"></script>
<script type="text/javascript">
gapi.load('auth2', init);
</script>
Then, manually handle the Firebase sign-in flow as discussed in this Firebase documentation.
Lastly, see this SO post for additional insights.

How to use Google Cloud Endpoints from within a Chrome App?

I'm building a Chrome app, and I'd really like it to communicate with my server over cloud endpoints, but there are two problems that I'm not sure how to overcome:
The Google apis javascript library is an external script, which I can't use in a page in a chrome app. Can I just copy the source of the library, and place it in a file in my app's source?
The client checks your javascript origin, but an extension's origin is of the form chrome-extension://EXTENSION_ID, which the developer console doesn't accept as a javascript origin.
How do I get around these issues?
1. Loading the gapi client
Indeed the only way I have found to load the gapi client is to use a webview, as explained here. I have tested itand it works well but weirdly the authentication does not work at all, and Cloud Endpoints believes you're anonymous.
In addition communication from a webview to the rest of the world is pretty tricky (window.postMessage does not allow to send a response in a callback).
I think you will be better off calling directly the REST methods using AJAX requests, with a helper such as jQuery or other. You just have to set the Authorization header using you access token, like this in jQuery :
$.ajax({
type:"GET",
beforeSend: function (request)
{
request.setRequestHeader("Authorization", "Bearer "+THE_ACCESS_TOKEN);
},
url: "https://yourapp.appspot.com/_ah/api/yourapi/v1/yourmethod",
success: function(msg) {
//Put here your callback
}
});
See below how to get the access token.
2. Authorization in Chrome Apps
You do not have to worry about the origin part in Chrome Apps, you simply need to generate a client id specific to the Chrome App, and use the Chrome Identity API to get authorization from the user. Check the Chrome Identity API documentation for more details.
Note that since you will need to create a new client id, you will need to update your Google Cloud Endpoint's configuration to add this client id to the list of authorized clients.
Yes. There are several GAPI packages for Angular in bower.
The Tasks sample app says it uses the GAPI. Check the example there:
https://github.com/GoogleChrome/chrome-app-samples/tree/master/samples/tasks
Hope that helps!

Resources