So my colleague ran into this error while attempting to add http referrers to our javascript maps api key. Our app needs to be able to hit the api from our client domains, and there are well over 1200 of them. Has anyone hit this limit, if so, how have you surpassed it?
Related
I am having a web-app (serverless) that I am using for a long time. The idea is that the app gets contacts from my Google Account, and then I can do some actions by using this data.
Unfortunately, last days I started to recieve CORS errors... I didn't pay attention, but today I tried to fix it. And I realized that all other Google APIs like maps, locations, OAuth work properly.
The only problematic one is the Google Contacts API. I wonder, it's possible to continue using this API on the client side? I didn't touch the code and google-cloud settings. This is a very strange behavior...
Failed to load https://www.google.com/m8/feeds/contacts/default/full?v=3.0&alt=json&access_token=......&updated-min=2018-08-09T22%3A00%3A21.000Z&max-results=500:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://.....' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
The issue is fixed on Google's side (was a bug).
I have a Laravel-made API running in a server and an Angular application running in another server. My Angular app loads a huge JSON file (with more than 500 lines) and tries to insert each line in a database through the api. A request is sent for each line, so I get an 409 error (too many requests).
I know this is a matter of security, so I don't want to remove the throttle from my middlewareGroup array in Kernel.php. I'd like to know, however, if there's any chance I can turn this rate limit down for a specific origin address (http://www.myangularapp.com/ only, for example)? So I can send these various requests while keeping the rate limit for other origin addresses.
Thanks in advance!
I'm getting the following error intermittently when invoking the custom search api from a server side setup:
HttpError 403 when requesting https://www.googleapis.com/customsearch/v1?q=John+Doe+john%40simpler.com&alt=json&cx=&key= returned "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.
I'm using a server api key, and have confirmed that the configured server ip address is correct. And about 50% of the time my request come back fine, too. I'm issuing the request from the server like this:
service = build("customsearch", "v1",
developerKey=api_key)
custom_search_context = <my_context>
res = service.cse().list(
q=search_query_string,
cx=custom_search_context,
).execute()
My requests per sec are well with in the configured limit of 10/sec and daily purchased limit of 5000 requests.
One more thing I noticed is that Google counts a forbidden request towards the daily limit, too.
Any pointers on why I'm being presented with the error only intermittently would be very helpful
The error can be raised when you're exceeding a request/second limit. Can you confirm that your request rate is below your configured user rate limit? It might be worth noting that the limit is enforced even if you don't explicitly provide a user value in your requests.
After hours of searching and trying every possible solution found on the web, I cannot try anything else for my problem, so I really need help:
I want to implement a simple autocomplete text box with geocode results, so I call AJAX requests while the user types in the text box
I have enabled Google Maps and Google Places from the Google APIs Console
I have created a Key for server apps with my server's IP
I have a PHP file (called through AJAX) running on the server which sends the request to Google Places using file_get_contents() function (SSL is enabled) - also tried with cURL function
The request I'm asking for is
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=MY_SEARCH_STRING&language=us&types=geocode&sensor=false&key=MY_KEY
where MY_SEARCH_STRING is a simple string like "London" and MY_KEY the Key I have created
what I get as a response is
{ "predictions" : [], "status" : "REQUEST_DENIED" }
I have also tried this with a browser key. Also tried to create a new project, enable Services all over again, and create new Key. Switched services on/off & creating new key many times in any combination. Nothing worked.
The strange thing is that the same code was working the last months in a landing page I had created on the server, but had a long time to check it, so I do not know when it stopped working.
I appreciate a lot any help!! Thank you.
SOLVED. In Google API Console, I had declared allowed server IPs. I was assuming that if I declared an IP, I was just ensuring that requests would be allowed only from that IP. In order for this to work, you must also declare the allowed per-user limits for each IP, or else it just doesn't allow any requests. I removed all the allowed IPs, waited for 3-4 minutes, and the request was allowed.
Not sure if this helps, but here is a short example:
https://google-developers.appspot.com/maps/documentation/javascript/examples/places-autocomplete?hl=el
I've had a similar issue, fixed it and discovered a few things that may be useful in troubleshooting this
using http instead of https will result in REQUEST_DENIED
omitting &userIp=x.x.x.x will result in REQUEST_DENIED
a server key needs to be generated and used in case the request is from a php script even if ONLY consumed via browser by users or it will result in REQUEST_DENIED
a few minutes are necessary before testing if the list of IPs allowed has been changed
Hope it helps some of you guys
I’ve got a situation with a large internal corporate web based application running ASP.NET 3.5 on IIS6 generating 401 “Unauthorised” responses followed by 200 “Ok” responses (as profiled by Fiddler). I’m aware of why this happening (integrated auth forcing the browser to resend credentials) but I’m looking for some thoughts on how to minimise or eradicate the situation. The application in question is running in the WAN with some users experiencing latency of up to 250ms so forcing a subsequent request can have a noticeable impact on page load time, particularly when there are a number of cascading drop down lists on the pages making.
The users of the application are internal within a managed desktop environment so mechanisms to force the browser to send credentials on the first request (is this even possible?) could be possible from a deployment perspective. This would work for pages requiring the user’s identity but for resources not requiring authentication (WebResource.axd, ScriptResource.axd and some custom web services), allowing anonymous auth would be possible. I’ve looked at defining this on a per location basis in the web.config but the results were mixed (still a number of 401 responses).
I’d appreciate any guidance on a “best practice” for dealing with this situation. There are a lot of resources out there identifying the problem but none that I’ve found providing a feasible solution.
Thanks!
Edit: Resources not requiring authentication (i.e. web services used for cascading drop down lists) can be requested anonymously through adding a location entry to the web config but I'm yet to find an answer for authenticated resources.
Unfortunately this is an artifact of the HTTP NTLM authentication scheme.
In short, the browser (Internet Explorer or otherwise) doesn't know that it needs to authenticate at all until it gets bounced with a 401 response containing a WWW-Authenticate response header.
In the case of WWW-Authenticate: NTLM -- annoyingly enough -- it requires two 401 responses on a single persistent connection to complete, and this process must be repeated once the HTTP persistent connection is closed. So even if you were able to get the browser to initiate a request blindly attempting NTLM, at least one 401 response cannot be removed from the transaction.
I think your best bet would be to maximize the amount of time that persistent connections are left open when idle.
CSCRIPT.EXE c:\inetpub\adminscripts\ADSUTIL.VBS SET W3SVC/AuthPersistSingleRequest FALSE
Will reduce the amount of 401's significantly.
I believe you can convince Firefox to automatically send NTLM credentials to a whitelisted set of domains via "about:config" settings - use the "network.automatic-ntlm-auth.trusted-uris" setting. I haven't tried this myself though. I'm not sure there's any equivalent for Internet Explorer.
Unfortunately if you're using something else like Kerberos there does not seem to be a way to avoid the 401.
You may need to consider Forms Authentication if the 401-induced latency is too long. The users would have to explicitly log in, but just once. Then you could use a cookie or cookieless scheme and get a response on the first try.
I imagine that page load would be slow if you have cascading drop-downs and your initial page load populates one value that causes a POST to get the next list, set that value, another POST to get the next list again, and so on. If this is the situation, perhaps you need to populate all those drop-downs on the first round-trip rather than waiting for POST responses.
TL;DR I put HTTP header information in HTTP body
My example is in Angular, but any TypeScript/JavaScript (framework) might have the same issue.
When doing a HTTP post call to my backend API, which requires headers with the logged in user information, I added my HTTP headers where my HTTP body should be and the headers were empty.
PROBLEM
markInstructionAsCompleted(visitScheduleId: string, instructionId: number) {
return this.http.post(`${environment.apiUrl}/VisitInstructions/schedule/${visitScheduleId}/done/${instructionId}`, this.getHeaderWithAuthorization());
}
SOLUTION, notice that there's an added second argument to the HTTP post call, which is null
markInstructionAsCompleted(visitScheduleId: string, instructionId: number) {
return this.http.post(`${environment.apiUrl}/VisitInstructions/schedule/${visitScheduleId}/done/${instructionId}`, null, this.getHeaderWithAuthorization());
}