Is it possible to build PhoneGap + Google Maps JScript API application that uses an API key with allowed Referers list set to mydomain.com (it's just an example) ?
Wouldn't Google reject such API usage because of origin of requests is JScript stored locally in a device?
Yes I believe you are right, Google would reject requests from a PhoneGap app if the API key is limited to certain domain names, as when coming from a PhoneGap app, it is not coming from a domain name.
If were using the native Android or iOS Google Maps SDK, it looks like you can restrict it to the package names - you will see that option when creating a new Google Maps API key.
In Google Maps API v3 you don't need an API key anymore. And yes - java script is cached locally on the device like any other page content.
Related
I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.
I'm building a production hybrid mobile app that uses Firebase/Firestore. Since it's a hybrid app, I can not use the bundle ID or HTTP referrer methods to restrict the API key (Google support confirmed this is not supported).
My worry is that anyone could decompile the app and get the API key, using it with a simple Node.js script locally, and access my database.
Node.js scripts can bypass all Firestore rules, making unrestricted API keys very powerful. So far I have been unable to find a way to restrict keys with hybrid apps, including reaching out to Google support. I'm wondering if the only way to actually achieve firebase/firestore security is to use Native apps vs. Hybrid?
Actually for ios, we are not able to restrict the google api key. But, for android we have done with HTTP referrer method only.
For android it is possible.
If you are using ionic4, Please use the same origin value whatever you set in you config.xml corresponding to you android app.
I'am making a firebase PWA that shows a custom YouTube home. So, I want to list the videos of a user's YouTube home.
For that I'am using the Youtube Data API v3 and want to use the user's API key (coz if i use my API key, they will get my recommendations, right?).
The user will be logged into the site using Google Auth.
So, how can I use that information and
access their Google API console
get their API key
enable their Youtube data API
get their recommended results
(I can accept any wild method)
This is officially impossible. Hacks might exist, but not dependable. Sorry.
So I am fairly new to firebase and new to the more advanced concepts of gcloud and i'm setting up firebase with hosting and analytics and in the gcloud console it generated a Server key and a Browser key however they look like identical keys, both unrestricted, and when i copied the code for the fire base analytics google sent me an email warning me about the api key being public (public github repo) is it safe to publish the unrestricted browser key, if so why? If someone could explain how api keys work within google cloud that would be great.
The Google Cloud Platform has a number of API keys. These are generated for Android, iOS and web (Browser) applications and there is also a Server API key. Anyone with an API key can call the REST APIs on resources on the project it was generated for. This can incur major billing charges!
It is advisable to restrict API keys. Only give them access to the APIs they need to use. Android and iOS keys should be restricted to the applications the project support.
The browser key is the one to be careful with as the key is stored in a JavaScript object and easily obtainable. It should be restricted to the domain the web pages are served from. If email address and password authentication is enabled, an unrestricted API key can be used to create and modify users.
So no, it is not safe to publish an unrestricted browser API key.
I am new in Flutter, and I have pretty good knowledge of using Google maps APIs for native Android Apps. However, in my flutter app, I need Google Places search Auto-complete. I came across a plugin called google_maps_webservice where it consumes google maps APIs such as directions, places and geocoding using Google web services. My question is having low understanding and experiences in setting up web services for google maps API, how I can use the plugin in my flutter app? For example, if I had to use places API in android I would have enabled Goole Places SDK in cloud console and generate an API restricting for Android App. But for a flutter, both Android and iOS are going to use the same services from a web API call. what should I do? And right now I have no backend knowledge to set up a domain to use while creating the API from the console.
You can import the google_maps_webservices package
import 'package:google_maps_webservice/places.dart';
and use it in your code:
final places = GoogleMapsPlaces('<Your-API-Key>');
final response = await places.autocomplete('<What-you-are-searching-for>');
if (response.isOkay) {
for (Prediction prediction in response.predictions) {
print(prediction.description);
}
}
Some caveats:
1. Ensure that you are using the Web API key
2. Ensure to activate the Google Places SDK in Cloud Console.
3. To avoid getting an OVER_QUERY_LIMIT status message, ensure that you are using a billing account.