Google Analytics Reporting API - google-api

How can I get Google Analytics report on my SPA without authorization by Google?
Without authorization as a participant of project made I get this error
403 PERMISSION_DENIED

403 PERMISSION_DENIED
Means that you do not have permission to do what it is you are trying to do.
How can I get Google Analytics report on my SPA without authorization by Google?
You cant you must always be authenticated in order to access google analytics data.
In order to access private user data you must have permission to access it. Your google analytics data is private. There for you must be authorized though google in order to access that data.
If you are looking for a way of doing it without requesting access of the user. For example if you would like to display data from your personal Google analytics account to others without requiring that they have access to the data then you could use a service account. Service accounts are preauthorized so that your code will run and have access to the data without having to request access of a user.

Don't do Analytics API requests for your own data at the client side.
What you should do is have a server side job that requests data from the API every day and caches the result. Then you can provide the result for clients.
The API have limits in place that avoid more than 10k requests per day, having this done at client side means that you will reach this limit. This limit is in place exactly to discourage use cases like yours.
Having this done on the client side means exposing your credentials at the client side which would also likely allow users to query data you don't intend to share or maybe even change settings in your account depending on which scopes you are authorized.
You have to rethink your design to not do this job on client side.

Related

express-gateway API key management

I have API backend and it will be consumed by different consumers like our own company website and even other website can use our API with certain quota/limitation and for this scope management we will be using express-gateway(eg), however this is not the only reason I am using express-gateway(eg). Now coming to my problem/miss-understanding, for our own website we can create api-key and user credentials using eg command. But for the other user who wishes to use our api, I don’t want them to contact me for this integration, rather they should be able to create a user credentials and API key themselves using some facility (let us call it key management) provided by us. Here I am stuck how to give a web platform or any other mechanism where a user can create account and then create api-key for their own website. I was thinking to extend the express-gateway app itself and create page where a website owner can fill the form with various input field that will serve as parameter for eg command and I can trigger eg command in node console and create credentials and save it in redis database and then fetch those information to show it to user as their use rid and api-key. But I want to know the best way how others are doing, like how google, twitter and many more are allowing to create api-key, delete key and regenerate the api-key on compromise. Some suggestion would be to use third party tool to manage user-credentials, I will have little inertia to accept that, even if I do so how will I hook those third-party solution to my express-gateway.
In general, API gateways and authentication servers are independent, or at least loosely-coupled. The typical workflow is:
A user browses to the Create Account page for a service.
The user creates an account with the authentication server
The user makes a request through the API gateway
The API gateway checks with the authentication server whether the operation is allowed, discarding it if the user is not authorized to perform the requested action
The API gateway dispatches the request to the appropriate server
The receiving server checks whether the user is permitted to perform the action (in case the API gateway has been compromised)
Express Gateway includes its own authentication server for convenience, but the steps are basically the same. The difference is that one uses the Express Gateway Admin API to create the user and credentials rather than going to a different server.
Note that Express Gateway and its default account database (reddis) are not persistent out of the box.

Limits when accessing Google APIs using Service Account vs OAuth

My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.

How to get client data without having client login

Situation
Using the Google Core Reporting API (v3), I need to get client companies analytics and other data but since they are organizations and not individuals, It is too tedious to put them through the login flow in order to get access tokens.
I know that I can obtain a token for such a request using the Server to Server auth process, but that involves obtaining and holding on to their private key which then grants me, to my knowledge, near unlimited access.
Question
Is the Server to Server method the only way to do this or is there something better.
Yes, server to server is the only method which doesn't require the client login (OAuth).
Remarks about Google APIs:
Server-to-server comes in 2 flavours: Service account and API key
The vast majority of Google APIs (including Google Analytics APIs) only support the Service account method for server-to-server access
Some (eg Google Search Console) support API keys instead of Service account
You could use OAuth and store refresh tokens so people don't have to authenticate every time should you want to use a method that requires client login
Remarks about GA:
You should use the v4 reporting API as v3 is being discontinued

GAPI integration between frontend and backend

I have a single page application with some user-related calendars. The task is to write integration with the google calendar. A user should be able to click on 'integrate with google calendar', select his google account, give read+write access to the calendar, and then the application should be able to do a number of things within the user google calendar like creating a new calendar and sync all events inside it with the application data.
I started with this example, https://developers.google.com/calendar/quickstart/js
It works, but as I understand it's for online front end work only. Is it possible to retrieve authentication from this front end and send it to the back end? I want back end to operate server-to-server mode, while the user is offline.
I have checked the other, back end gapi integrations, but they do not look so cool, there're some redirects. I want to keep everything inside a single page with ajax and popups.
In order to access a users data when the user is off line you need something called offline access. When you authecate the user you will need to request offline access then the server will return to you a refresh token.
A refresh token is long lived you will be able to use your refresh token at anytime to request a new access token which will allow you to access the users data.
You cant use offline access with JavaScript you will need to use a server sided language like say node.js, php, phython .... you will not be able to use gapi

User data through Google APIs without authorization flow

I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.

Resources