I am using google shortener to generate a short URL, the long URL doesn't have any secret data, also the website is fully public.
there is any risk to put my API key in the source code for my app
You probably don't want to do that. If you put the API key in the source code, others will be able to call the Google API as you. From the getting started doc:
"By default, your registered project gets 1,000,000 requests per day for the URL Shortener API (see the Developers console for more details)."
This exposes you to a denial of service - if a malicious entity decides they don't like you, they can grab your source, make 1M short URL requests as you, and you will be unable to make the requests yourself.
Related
I am asking this question after extensively reading Google's recommended approach, but I do have a problem with all these approaches, let me explain the situation.
I use combination of geolocation and geocoding API to know the approximate state location and then display relevant content. The geolocation API needs to be called obviously from the browser to get appropriate geolocation of the user. Google provides HTTP Referrer based restriction for this API. I know someone can easily spoof the referrer and make calls with the same API key. I do not see a huge advantage even though Google recommends this.
On the other hand Google does not allow HTTP Referrer for geocoding API, but it does allow that for the MAPS JavaScript API. But again if you are not using Google maps then using that API is violation of Google's terms. Now google recommends to move the code that uses geocoding web services API to be on the back-end so that your key will be protected. But since ultimately I need to deliver the result to a front-end web application that is publicly accessible and I can only make a browser based Ajax call to first get the geolocation to feed to geocoding, I ultimately need to make an Ajax call to get my geocoding information. Then someone can easily just latch onto my end-point to piggy back on and call the geocoding API as much as they want. So for situations like this I want to know what is the ideal and secured way to deal with. May be there are other APIs that might be an ideal situation for this.
In my case, I am not doing any maps so it's all purely server-side to get latitudes, longitudes and driving distance between two points. This today from Google support which might help and if you're using maps, then the links may provide further insight.
Regarding API restrictions, please note that HTTP referrers will not
work on Geocoding API since HTTP referrers can only be used for client
side services. In other words, Geocoding is a web service API and
should only be used on server-side implementation. IP address
restrictions should be used for web service APIs. However, if you are
using the Geocoding API in a website, IP address restriction would not
work. Please check the suitable restrictions for each API in the
following link:
https://developers.google.com/maps/api-key-best-practices#api_key_table
To make this work, you should create a separate key and use the new
one in your Geocoding API request URL. You may add a restriction to
this key by using an "API restriction", and restrict it to Geocoding
API only. If you don't want to create another key, you may keep using
your current one but make sure to change your implementation and use
the client side Geocoding service from the Maps JavaScript API. In
that case, please refer to this documentation:
https://developers.google.com/maps/documentation/javascript/geocoding
Another suggestion would be to get a static IP address from your ISP,
especially if you are planning to use it on a public website. For
development purposes, a sound solution would be to get three separate
keys: one for the staging and tests, another for server-side requests
and a third one for client-side requests. That way, you are making
sure your API key is protected.
I would like to access the adwords API through a simple single page web application using javascript. I would like to dynamically stop and start some of my adwords campaigns.
I can't seem to find any documentation on the REST endpoints for the API - only documentation for the various libraries.
Is it possible to do this through javascript only?
The current Adwords API is a SOAP-based interface, so there are no REST endpoints to use. It's of course still possible to construct SOAP messages and call operations without using one of the provided libraries.
Having said that, the next evolution of the API (the "Google Ads API") will support both gRPC and JSON REST-based communication, which would probably fit your scenario better. It's not yet ready for production use, however.
My single page app is hosted on Google's cloudstore. I love that I don't have to worry about a server. The app is, naturally, javascript heavy.
Now I would like to add a feature where users can store some data, generate a link to be shared with others and retrieve stored data. Think of a pastebin where some snippet of text is saved and a unique link is generated to be shared with others.
In fact, if it helps, think of this as my attempt to create a pastebin without having to setup a server.
It looks like Google's cloud datastore nosql solution is what I want. Given a key, it will return a snippet of text. However, all the examples on the documentation page imply that I have to setup a back end service using python, node, etc.
Questions:
Can't I just read and write from a web page, perhaps using ajax style http call (since I need to get and put text snippets once data has already been loaded)? I believe I can take care of cross-origin issues by changing some configs in the cloudstore static website server.
Obviously I don't want to serve any encryption keys from the web page. I'm hoping that since my site is served from Google as well, I can configure the nosql service handle permissions intelligently for this scenario.
Is there any documentation which shows how to do this correctly?
Google Datastore is not supposed to be used from client side, it's a served side database. You cannot do that w/o having server side code to authenticate, authorize and validate db related requests.
But there're an alternative. Firebase is a ready to use backend for client side applications, including Javascript apps. It's a separate project, that belongs to Google but not (yet?) part of Google Cloud. Take a look - https://www.firebase.com/
Although the API Rest is still beta, it is possible now to connect from a web client or anything RESTful capabilities. https://cloud.google.com/datastore/reference/rest/
If one calls the insert method while passing an api key on the request, then passing in a url like http://mostmedia.com/recent-projects always returns the same shortened url.
But if you authenticate using OAUTH then you get a new unique id for every long url you pass in, even when they are the same.
You can see this behavior in the api explorer when you toggle on and off OAUTH authentication:
https://developers.google.com/url-shortener/v1/url/insert
I don't see this documented anywhere, so it's hard to know whether this is a feature or a bug, or how we can expect it to behave in the future.
Does anyone know the official google line on this?
This is the intended behavior, see the section titled "Creating links when you’re signed in vs. signed out" on this doc: https://support.google.com/faqs/answer/190768 coped below:
Creating links when you’re signed in vs. signed out
Signed in
Your links are automatically added to goo.gl where you can track their
use.
A unique short URL is created each time a long URL is shortened.
Signed out
Your links won’t show up on your goo.gl page.
The same short URL is
reused each time a long URL is shortened by you or someone else.
That doc refers to the consumer product, but the behavior applies to the API as well. OAuth authentication is the API equivalent of being signed-in.
The reason a new short URL is returned on each call is so you can utilise multiple short-urls for tracking purposes.
I read the following two pages on Google:
1) https://developers.google.com/google-apps/documents-list/#getting_a_list_of_documents_and_files
and
2) https://developers.google.com/accounts/docs/OAuth2WebServer
I can go as far as getting an access_token (OAuth2) to be used in a subsequent Google API call (I want to call Google Docs Listing or Google Drive).
I wanted to use curl or something similar and just form my https URL.
- As such in the 1st document states to form a URL as follows:
https: //docs.google.com/feeds/default/private/full
- In the 2nd document, the example states to use something like https: //www.googleapis.com/oauth2/v1/userinfo?access_token=xxxxx
(adding the access token to the call)
Several questions
- Do I call googleapis.com or docs.google.com?
- can I call https: //docs.google.com/feeds/default/private/full?access_token=xxxxx
just add the access token to the call?
thanks
You need some effort to approach a Google API the first time, but then it's easy and elegant:
Manual preparation (One-time action): Sign in to Google, create a project, enable the API in question, create new Cient ID.
Get OAuth code, refresh token and access token (one-time action).
Make the API call (repetitive arbitrary actions).
Here is a detailed explanation of the entire process - Steps to make a Google API call.
A practical sample based on the Google Calendar API with full demo code in a single HTML file can also be reviewed here - Easy and compact access to my Google calendars.
The fastest way to get started is probably the quickstart guide for the Google Drive API, which shows how to setup your environment and write a complete command-line app to upload a file to Drive:
https://developers.google.com/drive/quickstart
Hie you can go through the Google Docs Sample Available Here
it's a command line smaple but this same thing you can implement in android. it works for me. you will find "docs-cmdline-sample" in repo. that will help you.