Google spreadsheet: security error from flex - apache-flex

I have an app that uses a google spreadsheet to populate a menu and some related pages. Works great in debug but gives the "security error" when released.
It seems like some google services (eg picasa) permit flex apps to access them. Is google docs not open this way?

What is the API URL you are checking? Does that URL have a CrossDomain.xml file? If not; then you can't access it directly from a Flex (or Flash Player) app. You'll have to use a Proxy of sorts.
Most people implement Proxy's on the server side. Basically, your Flex app will call the proxy and send the appropriate data. The proxy will then call the API (in this case Google Docs), get the results of that call, and then return the results to the Flex app.
Doing a quick search, I found this page. Are you trying to access the spreadsheets.google.com URL? If so, check out it's crossdomain.xml file. It appears to prevent all access.

Related

Send conversion event to Google Ads from NodeJs backend (AWS)

I have a website hosted in AWS with a NodeJS backend.
I have Google Ads conversion events being sent from the frontend using gtag.js, but I noticed missing events and a lot of duplication (even if I use transaction IDs with my events)
I has similar issues with Facebook Pixel and was able to resolve the problem by sending simple vanilla http calls from the backend.
Is it possible to do the same with Google Ads? I have not been able to find any documentation for server side APIs for Javascript.
This documentation here seems promising, but no Javascript SDK exists. That's is why I would like to know what vanilla http calls to make.
I have seen documentation about GTM server side, but it seems I need to host a GTM container (server?) which I would prefer not to have to. Unless I misunderstood what hosting a GTM container means in the context of a AWS cloud solution.
In addition to the native, gRPC-based Ads API there's also a REST alternative which can be used if there's no native client library, such as for NodeJS.
The endpoint relevant for your use case is customers.uploadClickConversions, which allows you to register a conversion given a specific click ID.
Keep in mind that you'll need to apply for API access in order to be able to use the Ads API (aside from accessing test accounts).

How to hide the Firebase Storage download URL from the network tab of browsers?

I'm leveraging Firebase Authentication for downloading images from firebase storage. I'm also leveraging google API HTTP referrers for blockage by domain so that my image from firebase storage is only accessed from my website. But when I go to the network tab of my browser I can see the download URL of the image. By this, anyone can download my image and use it. What should I do so that my images are secured?
P.S: I'm using the firebase storage SDK and by following the documentation when I execute this code below
storageRef.child('images/stars.jpg').getDownloadURL().then(function(url) {
// `url` is the download URL for 'images/stars.jpg'
var img = document.getElementById('myimg');
img.src = url;
}).catch(function(error) {
// Handle any errors
});
I can see the download URL in the network tab of my browser.
You can't. When you give up access to a Cloud Storage download URL to any one, in any way, you are implicitly trusting that user to its access. They are free to share it with anyone they want. If you don't trust that user, then don't give them the URL.
If you don't like the way this works, then don't use download URLs, and allow only secure downloads via the Firebase SDK. At that point, you are trusting the user they will not take the content and upload it elsewhere and generate a URL to it.
You seem to have two options as far as I can tell. Unfortunately, they are basically one in the same effectively as you will probably have to implement both.
The first option is to revoke the access token on individual files you don't want to be allowed to download. Unfortunately, this also means that you can't display them anywhere you currently do via the URL as it breaks that link. See this answer for why that is a pain to do.
The second option is to use storage references to download them client side, but this only works if you are using Firebase SDK's in a web app and not a simple static website. I think this shouldn't expose the URL on the network tab of the browser if the app is set up correctly.
You can implement the second option without the first and the URL shouldn't be exposed, but you can't use the url anymore and have to use both options if you implement the first one... :/ meh... firebase is great, but nothing is perfect
This seems to work, I'll update if it doesn't
Edit: "However, the CORS configuration applies only to XML API requests," which one can just go to the file still.. https://cloud.google.com/storage/docs/cross-origin
GCP console >_
pencil icon > create cors.json [{"origin":["https://yourorigin1.com"],"method":["GET"],"maxAgeSeconds":3600}]
go back to shell and enter gsutil cors set cors.json gs://yourproject1.appspot.com
https://stackoverflow.com/a/58613527/11711280
Workaround:
I will make all rules resource.data.authorId, resource.data.members, etc. I need to match the request.auth.uid (or control calls in client code to non-anonymous uid's), and sign-in every user anonymously, at first. Then, uid will not be null when using a firebase initialized from our domain

How to (can you) configure Azure API Management for Auth0 single page application

Scenario: Auth0 Single Page application client. .NET Web API and Angular SPA both configured to use this client. Works great.
I'd like to add Azure API Management as a layer in front of the API. Have set up the API in the Management Portal, updated SPA to call API, tested calls from SPA, works great.
Now, I'd like to configure API Management Portal with the right security settings such that people can invoke API calls from the Developer Portal. I've used this [https://auth0.com/docs/integrations/azure-api-management/configure-azure] as a guide.
Where I'm at:
From the Developer portal, I can choose Authorization Code as an Auth type, go through a successful sign-in process with Auth0 and get back a Bearer token. However, calls made to the API always return 401. I think this is because I'm confused about how to set it up right. As I understand it:
either I follow the instructions and setup a new API client in Auth0, but if that's the case then surely it's not going to work, because tokens generated from one client aren't going to work against my SPA client? (or is there something I need to change to make it work)
or, how should I configure Azure API Management to work with a SPA application. (this would be my preferred method, having two clients in Auth0 seems 'messy'). But, don't I need an 'audience' value in my authorization endpoint URL? How do I get that?
If anyone has done this, would very much appreciate some guidance here.
Well, I didn't think I'd be back to answer my own question quite so soon. The reason is mostly rooted in my general ignorance of this stuff, combined with trying to take examples and fuse them together for my needs. Posting this to help out anyone else who finds themselves here.
Rather than take the Single Application Client in Auth0 and make it work with Azure API Management, I decided to go the other way, and make the non-interactive Client work with my SPA. This eventually 'felt' more right: the API is what I'm securing, and I should get the API Management portal working, then change my SPA to work with it.
Once I remembered/realised that I needed to update my audience in the API to match the audience set in the Client in Auth0, then the Management Portal started working. Getting the SPA to work with the API then became a challenge: I was trying to find out how to change the auth0 angular code to pass an audience to match the one the API was sending, but it kept sending the ClientID instead. (by the way, finding all that out was made easier by using https://jwt.io/ to decrypt the Bearer tokens and work out what was happening - look at the 'aud' value for the audience.
In the end, I changed my API, in the new JwtBearerAuthenticationOptions object, the TokenValidationParameters object (of type TokenValidationParameters) has a property ValidAudiences (yes, there is also a ValidAudience property, confusing) which can take multiple audiences. So, I added my ClientID to that.
The only other thing I then changed (which might be specific to me, not sure) is that I had to change the JsonWebToken Signature Algorithm value in Auth0 for my non-interactive client (advanced settings, oAuth tab) from HS256 to RS256.
With all that done, now requests from both the API Management Portal, and my SPA work.
Curious to know if this is the "right" way of doing it, or if I've done anything considered dangerous here.
Since you're able to make the validation of the jwts with the .Net API work, Only few changes are actually necessary to get this working with Azure API Management.
In API management,
Create a validate-jwt inbound policy on an Operation (or all operations)
set the audiences and issuers the same as what you've used with your .NET web api. (you can check the values in Auth0 portal if you don't know this yet)
The important field that is missing at this point is the Open ID URLs since auth0 uses RS256 by default. The url can be found in you Auth0 portal at: Applications -> your single page application -> settings -> Scroll down, Show Advanced Settings -> End points. Then copy the OpenID Configuration
Here's the reference for API management's requirement for JWT tokens
optional reading

API to access Windows Store

Does windows store has an API?
For example when you open the "store" app, there is a "top free" list that will show the top 100 most popular free apps. Is the list coming from an HTTP endpoint somewhere on the internet?
There is no official API for accessing content in the Windows Store. I'm sure that the content is being pulled in from the web via and HTTP or HTTPS endpoint but using an undocumented service like this would likely not be recommended. It also doesn't look like there is a protocol activation schema documented for launching the store. The closest thing I can find is the MarketplaceDetailTask in Windows Phone. http://msdn.microsoft.com/en-us/library/windowsphone/develop/microsoft.phone.tasks.marketplacedetailtask(v=vs.105).aspx
The only other supported way of launching the store would be by using links to apps which cause the store to open.

Google Translate API proxy

Im investigating the translate API and the example script contains a warning advising me to use a proxy to hide my api key.
// WARNING: be aware that YOUR-API-KEY inside html is viewable by all your users.
// Restrict your key to designated domains or use a proxy to hide your key
// to avoid misuse by other parties.
I am just wondering how do I run the script via a proxy?
UPDATE: Thanks for this.. I have since removed the project as it was made redundant. But great advice
I believe in this instance the reference to proxy means a server side encapsulation (or something similar) to hide the API key. You'd therefore make a call to your server, which would proxy the call to Google instead of making the call in client-side Javascript and exposing your API key.

Resources