GraphCDN: This endpoint requires you to be authenticated - caching

I'm just starting to use GraphCDN with GraphQL and there's something that I don't understand. I set up my service as detailed in the documentation and now I have **.graphcdn.app/ caching my original https://***.com/graphql
Now to test I'm trying the new endpoint. But while some endpoints are open and need no authentication on my graphql api, the same endpoint would give the error:
{
"error": {
"message": "This endpoint requires you to be authenticated.",
"documentation_url": "https://docs.github.com/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql"
}
}
in GraphCDN. Any ideas on how I can get around this, or what am I doing wrong?

It sounds like you created a service that proxies through to the GitHub GraphQL API, hence why the API responds with a "This endpoint requires you to be authenticated" error that has a docs.github.com link in it.
In order to point it at your own GraphQL API (which doesn't require authentication), change the "Origin URL" in your service's settings to the URL of your GraphQL API:
We're happy to help further with that, feel free to reach out to our excellent customer success team via the chat bubble on the dashboard anytime!
Source: I'm one of the cofounders of GraphCDN.

Related

Try this API for Logging API returns "PERMISSION_DENIED"

I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.

Analytics reporting API authentication with oAuth2 responds with "Not all scopes are approved."

I`m using Analytics Reporting API in my project to retrieve amount of users currently surfing my website. Consider following code:
gapi.auth2.init({
'clientId': '<Client_ID>',
'scope': 'https://www.googleapis.com/auth/analytics https://www.googleapis.com/auth/analytics.readonly',
}).then(function(authData) {
/*1*/
return gapi.client.request({
'path': 'https://www.googleapis.com/analytics/v3/data/realtime?ids=<VIEW_ID>&metrics=rt:activeUsers&dimensions=rt:latitude,rt:longitude'
});
But when i set debugger on the line with /*1*/ and want to investigate what`s inside "authData", in the developer console i see following:
>JSON.stringify(gapi.auth2.getAuthInstance().isSignedIn)
>"{"Ab":false,"Aia":{"value":false},"hg":{"hg":[]}}"
And inside authData i have following:
>JSON.stringify(a.currentUser)
>"{"Ab":{"El":null,"Zi":null},"Aia":{"value":{"El":null,"Zi":null}},"hg":{"hg":[]}}"
That indicates abscence of authenticated user, i presume.
Furthermore, http response for authentication request returns following error
>{error: "IMMEDIATE_FAILED", detail: "Not all scopes are approved."}
The question is: what does it mean and where can i approve those scopes by myself or maybe there is somone from Google who should approve scopes for my requests. Thanks.
Well i acidentally stumbled upon this solution. The reason for scopes to seem unapproved is that the application is not accepted inside an google account as capabke of accessing analytics data (and it's crucial as i use oAuth2 clientID bound to that particular account). So the solution is to allow your project to have access to your account. Sadly there is no such statement in api's docs, nor any example was found also.

Yahoo OAuth 2.0 `bearer_token_not_over_ssl` - explain?

I'm using the OAuth 2.0 spec for retrieving fantasy football data in the same way this site is using it: http://yfantasysandbox.herokuapp.com/resource/user/game_teams (github repo: https://github.com/whatadewitt/yfsapi)
After retrieving my access_token and refresh_token, I'm trying retrieve the user teams resource and getting this 401 error for no apparent reason
{
"lang": "en-US",
"description": "Please provide valid credentials. OAuth oauth_problem=\"bearer_token_not_over_ssl\", realm=\"yahooapis.com\""
}
It had been working for a few days and it all stopped working suddenly without me having changed anything. Please let me know if the spec has changed. I'm using the https protocol for each of my API requests and am sure to get new access_tokens if needed. My callbackUrl is also using https if that helps.
Its working perfectly now. Looks like it was a disruption in service with the API and not anything fundamental. Good luck this season!
Another possible explanation is that the urls you are passing are http, not https. I was getting this issue, too, until I updated all of my requests to use https.

"400: Unsupported service specified, INVALID_ARGUMENT" from Google Cloud Logging API

I am trying to manually write a log entry using Google Cloud Logging API.
Before doing this via code, I am first trying to do it using the Google APIs Explorer. Here is a screen shot of the request I've built using this tool:
In projectsId I have the Google Project Id that I've copied from the
Google Developer Console.
Likewise for metadata.projectId.
In metadata.userId I have the Client Id of the same Service account that I'm using to authenticate (OAuth2) against the Google Logging API.
Google Logging API is enabled for the project.
The Service account belong to the project and has the "Can edit" permission.
I'm 99% sure that I've setup OAuth2 correctly for the request.
When I execute this request, I get the following response:
{
"error":
{
"code": 400,
"message": "Unsupported service specified",
"status": "INVALID_ARGUMENT"
}
}
Why? and how can I fix this?
The error message was actually telling me exactly which argument was invalid - The serviceName I supplied was bogus ("test").
As soon as I set the serviceName to be "compute.googleapis.com", the problem went away and I received a 200 status code indicating success.

Google Credential: This developer account does not own the application

I'm using Google client libraries and trying to make a GET request to Google Play API.
GoogleCredential credential= new GoogleCredential.Builder().setTransport(netHttpTransport)
.setJsonFactory(jacksonFactory)
.setServiceAccountId(CLIENT_ID)
.setServiceAccountScopes(SCOPE)
.setServiceAccountPrivateKeyFromP12File(file)
.build();
credential.refreshToken();
HttpRequestFactory requestFactory =netHttpTransport.createRequestFactory(credential);
GenericUrl url = new GenericUrl(URI);
HttpRequest request = requestFactory.buildGetRequest(url);
HttpResponse response = request.execute();
I get
{
"code" : 401,
"errors" : [ {
"domain" : "androidpublisher",
"message" : "This developer account does not own the application.",
"reason" : "developerDoesNotOwnApplication"
} ],
"message" : "This developer account does not own the application."
}
My app is unpublished, would that cause the problem?
I've got the same problem. It occurs because you authorize user in Google API who does not own the application and try to get data that belong to your app.
In this topic it is well described. http://support.google.com/googleplay/android-developer/bin/answer.py?hl=en&answer=2528691&topic=16285&ctx=topic
You should authorize by OAuth2 the owner of application, and then use Google API with obtained token.
The problem is you are using the Service accounts OAuth 2.0 flow to authorize to the android-publisher API. I was doing it the same way. However, Google requires to use the Web server applications flow, which is ridiculous, since a human interaction is needed to allow for the API access.
Fortunately there is a way around it. You just have to obtain the refresh_token, store that and keep using it for future API calls. I wrote about it in more detail on my blog.
We also struggled with this problem as we wanted to validate a purchase on our servers in order to unlock certain features. We tried multiple solutions and frameworks, written by fellow community users and even official implementations but none worked.
Turns out all we had to do was renew our OAuth token (which we just created) and then it all started working.
I suspect that problem is exactly in publishing. You first need to bind your app to your (developer) account and then you will receive CLIENT_ID and other credentials (such as secret key and so on).

Resources