I developed a Google Docs add-on that is now fairly popular (300k installed users, https://gsuite.google.com/marketplace/app/onelook_thesaurus/372652075936). Since Sept 30, 2019, I have been receiving sharing requests for the Apps Script source code of this add-on, directly from the email addresses of end users. I have received a few dozen of these over the last month to my developer email address.
I'm not sure what triggers the sharing request, but I don't think these end users are developers, or even aware of the Apps Script code. I believe the sharing requests are being created programmatically by the Google Docs backend, possibly due to some error condition, but I am at a loss trying to replicate the problem or identify the source of it.
This is problematic since these users do not intend to share their email addresses with me.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 3 years ago.
Improve this question
My clients are receiving emails like this (I quote the text, but it is an html email):
From: Google Accounts
Date: [OMITTED]
Subject: Limiting access to data in your Google Account
To: <[OMITTED my client's email address]>
Hi,
Although you don’t need to do anything, we wanted to let you
know that the following apps may no longer be able to access
some data in your Google Account, including your Gmail content.
If these apps are unable to meet the deadline to comply with our
updated data policy requirements, they'll lose access to your
Account starting July 15th, 2019.
[OMITTED my company's name]
We are making this change as part of ongoing efforts to make
sure your data is protected and private.
You can always view, manage and remove apps you’ve given
access to your account by visiting your Google Account.
Thanks,
The Google Accounts team
I operate a webapp that uses the following gmail API methods:
gmail.users.getProfile
gmail.users.messages.send
gmail.users.threads.get
As far as I know I am following all of the rules. I have searched through the Google APIs Console, but I cannot see what data policy I am violating.
How can I determine the data policy I am violating? Why hasn't Google reached out to me about this?
Is this a convincing phishing scam? These emails are being sent to my clients, so I don't have access to see if they are signed properly, but from what I can tell from the forwarded emails they appear to be authentic.
You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven't actually tested all scopes). This most often comes with the Gmail scopes in applications.
I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.
The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn't be surprised if all the Gmail scopes would result in that mail but I haven't tested it.
https://www.googleapis.com/auth/gmail.send
verification
This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.
You should apply for verification as soon as you can google may contact you and ask for a video of your application running.
Unverified apps
In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.
After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.
additional reading piecing together information available:
Elevating user trust in our API ecosystem while this page does mention "All fees are paid directly to the assessor and not to Google." it does not state an amount. Again i have never heard
of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
Additional Requirements for Specific API Scopes
Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.
I am many errors on my Maps API Console.
I am the website owner, not the developer or webmaster.
Got an email from Google about new pricing. Below is the email.
Today we are announcing important changes, including our new name - Google Maps Platform, a simplified product structure, pay as you go pricing for all, and more. Please take a few minutes to review the announcement to familiarize yourself with the upcoming changes.
We would like to highlight a few updates that may impact your implementation. Beginning June 11th, we are launching our new pricing plan and providing all users access to support. We’ll continue to offer a free tier — all developers will receive $200 of free monthly usage of our core products.
How does this affect your current account(s)?
Based on your usage over the last 3 months and our new pricing plan, we estimate that your monthly cost will exceed the current $200 free tier.
I am trying to figure out why I have so many API calls.
I am seeing in the console, that in the "Google Places API Web Service" I have alot of "Zagat content in the Places API" calls, and they all result in error.
I am trying to figure out how this is happening, but not finding any info online. I see that the "zagatselected" parameter was discarded May of 2017. I can not figure out what is causing these errors.
Everything has been working fine, I have my own API key, and have for a long while. The only reason I am really looking into this, is because Google will now start charging me monthly.
Is it possible you expose your Maps API key to the client, don't have any restrictions on it, and someone else is calling the API/raising those errors?
If you have a snippet of code like this....
<script src="https://maps.googleapis.com/maps/api/js?key=[APIKEYHERE]&libraries=geometry,places&callback=initialize">
...on a public web page, it would be easy for someone else to take the API key and use it themselves, unless you add a IP or referrer restriction to only allow it to be used client-side from your website. You can set up restrictions on who can use your API key following these instructions.
I suspect that the new Google Maps and Places API pricing scheme (which significantly lowers the number of free Places API calls) might cause some less ethical users to use keys they can scrape off websites.
Currently, I have been tasked to utilize the Google People API to ask for a user's basic Google information along with their public phone numbers. So far the results have been positive.
The solution my team and I have incorporated the Google People API integration in has the capacity to be utilized across thousands of domains. As a result, my question is simply, How can my team members and I ensure that any our clients that utilize our solution with their own particular domain get our new functionality built with the Google People API?
Keep in mind, our clients have the flexibility to have http/https and any subdomain on their site. Entering each domain possibility for our client base one by one would not be an easy task. I'm seriously hoping there is a solution around the single, explicit origin entries.
Thank you for your time and help.
Warning:
You must remember that if this is source code you are giving your clients that you are not allowed to release your client id and client secret. This includes plugins and scripts.
On November 5th 2014 Google made some changes to the APIs terms of Service.
Asking developers to make reasonable efforts to keep their private
keys private and not embed them in open source projects.
So if your clients could view the code of your application and see your client id and secret you should not be giving it to them.
Read more about this issue Can I really not ship open source with Client ID?
Recommendation:
The best solution for you will be to instruct your users now to create there own project on Google Developer Console and create their own JS origins.
You may just have to provide your own wrapper around the target API where you authorize the client request yourself and then do the request from Google using your own credentials.
I'm developing a website and I was wondering if its fairly easy to set up an email interface with in my joomla! 3 website. An email system with inbox, outbox, possibly junk mail.. etc. I need basic tasks of an email system like Gmail or Yahoo, where the already logged in user at my website can send and receive emails with attachments only through my joomla website. Meaning the user can not use outlook or any kind of email application to send or receive emails. If the user needs to email someone with the email that we gave him after we registered him/her at our website, he needs to log in first to our website in order to have access to the email service.
I'm wondering if this kind of idea is easily achievable in joomla 3 as I'm kind of new to Joomla developing- only started a month ago. Or if it's too complicated and it costs a lot of over head. If it is possible how can I achieve it because I have researched the internet for 3 days with out any luck for a specific joomla 3 extension.
However I found other ideas like roundcube and squirrelmail but for sure I need something way simpler than that since the email service is already provided by my host. I just need an interface, thats all. Also I found this link that talks about something called DMail but also its too advanced and possibly a very old post too.
So please if any one could help. Thanks!
I was checking the API reports for Contact, Calendar and Tasks. I was surprised to see that the number of requests for Contacts API is 0 for last 28 days. However we synced thousands of contacts with Google everyday. Please refer screenshot attached.
From the stats it seems that the requests we are making to Google is NOT using Contacts API.
Overview of our application's google integration:
Our application is built on Ruby on Rails.
We are using 'google-contacts' gem (https://github.com/varunlalan/google-contacts) for syncing contacts.
We authenticate user using 'omniauth-google-oauth2' gem (https://github.com/zquestz/omniauth-google-oauth2).
OAuth 2 scopes include - "userinfo.email, userinfo.profile, https://www.google.com/m8/feeds/"
Any reason why it is not making use of Contacts API or requests not being showed up in the reports?
Any help or inputs would be highly appreciated.
Thanks.
just wanted to add that we're facing the same issue.
We've been using the Contacts API heavily (and we even got a 503 due to, it seems, exceeding the maximum requests/second) and yet the dashboard and the reports show 0% usage... which makes it a bit difficult to plan ahead!
After further investigation we have also seen that the per user quota is fixed at 10/user/second despite any changes to the config from the API console.
Also, the parameter quotaUser which is meant to enable developers to manage their quota more effectively is ignored.