Recaptcha subdomain and multitenancy - subdomain

I'm using google Recaptcha v2.0 for my application.
This is a multitenancy app in which we create a subdomain for each tenants:
tenant1.myapp.com
tenant2.myapp.com
tenant3.myapp.com
Until now, we are registering manually each subdomain in the Google Recaptcha Admin.
I wonder if in terms of security if could be enough (and safe) to just register the main domain:
app.com
"if you specify the API key pair to yoursite.com, the following table shows whether or not reCAPTCHA will work for the domain and its subdomain variations"

Related

Reposting: Not possible to use Google login authenticator button for Google webapp [duplicate]

When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.
I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?
I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.
So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.
As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.
According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com
To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.
From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain
Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.
Related
How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
User access request when GAS run as the user
While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:
Webapp#1:
Run as: Me
Access: Anyone even anonymous
Webapp#2:
Run as: User
Access: Anyone
You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.
References:
Authenticate with a server - Here, webapp#1 acts as server and webapp#2 acts as client.
ScriptApp.getIdentityToken()

Programmatically add domains to Google reCAPTCHA v3

I am working on adding Google reCAPTCHA v3 to FreeToastHost, a free forms & template based website generator/content management system specifically made for use by Toastmasters public speaking clubs around the world.
One challenge I have in implementing this is that in addition to our use of a root domain and subdomains for accessing each club's website, we also support each club purchasing their own "custom website domain" through a registrar which they they tie to our server's IP address via their DNS settings.
We do require that each club save these "custom domain names" in the system (gets stored in our db) so we can still generate their website by looking up their custom domain in our db to fetch their content. At this point we have about 80 clubs of the 12000+ using the system that also have custom domains.
I will not know these custom domains in advance, so I have had to just register our root domain for Google reCAPTCHA v3, shut off the domain checking setting because of the custom domains, and resolve to do our own domain checking.
I would prefer that Google do the domain checking, but without an API to add domains programmatically / dynamically and with their 50 domain limit per key-pair, I am just not sure what else to do other than doing our own domain checking.
Anyone have any fresh ideas on this?

Cordova google map key api error

I have a cross-platform app with cordova , but now the google map is not working.
I have this error :
MissingKeyMapError
I try to create new api browser key in google console with "*" authorization url , but still not working. i have this error : RefererNotAllowedMapError
the window.location.href of my app is :file:///Users/bahri/Library/Developer/CoreSimulator/Devices/757EE924-9884-44B1-B‌​BF5-04CFF3D68C80/data/Containers/Bundle/Application/820BF808-DFF7-4AB0-8BF8-179D2‌​78E90D5/com.taxiwink.taxiwinkapp.app/www/index.html
How can I resolve this issue?
As per today (15 Jul 2020) the following http referrers allows to show a Google map in a cordova app:
iOS:
__file_url__//var/containers/Bundle/Application/*
__file_url__//private/var/containers/Bundle/Application/*
(credit to yannisalexiou for having added the last one which works from iOS13)
Android:
__file_url__//android_asset/www/index.html#/*
__file_url__//android_asset/www/index.html
cordova simulate (eg: simulate ios --target=chrome)
127.0.0.1
localhost
the referrers go into the Google Console API management (API-Project, credentials, referres) at:
https://console.cloud.google.com/apis/credentials/key/abcxyz?project=api-project-123456
NOTE: developed from the answers here https://github.com/wevote/WeVoteCordova/issues/55
MissingKeyMapError Error
The script element that loads the API is missing the required authentication parameter. If you are using the standard Maps JavaScript API, you must use a key parameter with a valid API key. If you are a Premium Plan customer, you must use either a client parameter with your client ID or a key parameter with a valid API key.
See the guide to API keys and client IDs.
From :
https://developers.google.com/maps/documentation/javascript/error-messages#deverrorcodes
https://developers.google.com/maps/documentation/javascript/get-api-key
Also:
Registering authorized URLs
To prevent a third party from using your client ID on their own website, the use of your client ID is restricted to a list of URLs that you specifically authorize.
To see the URLs you have already authorized or to authorize additional URLs:
Log in to the Google for Work Support Portal.
In the left-hand menu, click Maps: Manage Client ID.
You can add up to 100 URLs at a time, to a total of 3000 URLs. If you require higher limits, please contact support.
HTTP and HTTPS protocols are considered different URLs.
For example, if https://example.com is authorized, http://example.com is not necessarily authorized. If you'd like to authorize both at once, you may add a domain without using a protocol: example.com/
You should empty the list of authorized HTTP Referers for your key, in the API Console. This should make the map succeed (after a 5-min propagation delay).
Related issues (it's suggested to "star" them to get an update on their resolution):
Support API key restrictions with file:// referers
Google Maps
API error: MissingKeyMapError when loading from file://
UPDATE
Good news, now you can use file:/ referrers. You can see the following text in the documentation
file:// referers need a special representation to be added to the Key restriction. The "file:/" part should be replaced with "__file_url__" before being added to the Key restriction. For example, "file://path/to/" should be formatted as "__file_url__/path/to/*". After enabling file:// referers, it is recommended you regularly check your usage, to make sure it matches your expectations
https://developers.google.com/maps/documentation/javascript/get-api-key#key-restrictions

Google Maps JavaScript API v3 for Work UnauthorizedURLforClientIdMapError

I'm using Google Maps Web Services API for work, and they've given me a client ID. When I load up the main page, I don't get an error. However, when I click a sub-page, eg localhost:8080/pages/page.xhtml, I get an error called UnauthorizedURLforClientIdMapError, with the message that this URL is not authorized to use the provided Google Maps client ID.
For reference, Google discusses it in its documentation here: https://developers.google.com/maps/documentation/business/clientside/auth#registering_authorized_urls
With all that being said, I'm currently testing my server with TomCat using the URL http://localhost:8080. This domain has been authorized, as has my individual IP. In my view files, I'm adding this:
<script src="https://maps.googleapis.com/maps/api/js? &client=MY_CLIENT_ID
&v=3.19
&channel=MY_CHANNEL" type="text/javascript"></script>
where 'MY_CLIENT_ID' and 'MY_CHANNEL' are obviously changed to suit my needs (my client id and channel are correct). I've searched through stack overflow and also read all of the relevant Google Documentation but I feel like I'm missing something very small (or large, I'd hope not though).
What's going on?
Each URL that uses Google Maps for Work with the ClientID must be authorized to use that clientid.
You can find all the details here. But this is the summary:
The domain name or IP address does not have to be publicly accessible
All subdomains of a specified domain are also authorized.
All subpaths of an authorized path are also authorized.
Paths are case sensitive.
You may restrict valid URLs to those using certain ports.
HTTP and HTTPS protocols are considered different URLs.
If you are getting the UnauthorizedURLForClientIdMapError, look through the URL authorization rules and see if you simply need to add the URL to the list of authorized URLs.
Btw, here is the the list of Google Maps API Error Codes with explanations.
You must allow the referred URLs related to that Client ID in the Google support management portal.
Access to the Google Support Management portal - http://www.google.com/enterprise/portal - , login with your enterprise google account, then in the left menu, go to "Maps, Manage Client ID" link, select you client id in the combo, and in the "Enter the URLs" textarea, write the referrer URL you want to authorize and click on "Add URL" button.
If you are using a ClientID instead an API KEY to authenticate to Google Maps services, the referrer URLs must be authorized here. If you are using an API KEY, yo must authorize the referrer urls from the google developers console.

How to register Google Maps API key for a client's domain I don't own?

I have a website I developed for a client. One of the pages displays a list of street addresses, for which I also have LAT/LONG data. The client requested to add a little map next to this list with a marker for each address.
I would like to use Google Maps API v3, but I have a problem registering client's internet facing URL, which has a form of "ip address:port" (i.e. something like http://123.45.67.89:555) and which I - naturally - do not own and do not have domain admin access. Likewise, their domain admin - whoever s/he is - does not and will not have access to my Google API project for which I'm trying to register the key.
So far I was able to register the client id for local development in a form of http://localhost:5555, but when I'm trying to add the client's URL I'm getting an error
OAuth 2 redirect URL "http://123.45.67.89:555" is invalid.
I searched for solution for this problem and found a suggestion to whitelist the URL in the Google API Console. Yet when I'm trying to add this URL to approved domain list ("notification endpoints") I'm only getting another error:
You do not have access to the following domain:
http://123.45.67.89:555
which is, of course, true. The documentation also says I cannot register a domain I don't own.
So, my question is: how do I register a Client ID for Google Maps API V3 for the client's URL to which I don't have domain admin privileges and whose domain admin doesn't have access to my API project?
Thank you!
Nikolai
You can create a view of the table (File | Create View ...) and own the view (https://support.google.com/fusiontables/answer/171206?hl=en) - thus enabling you to have your own version of the table which is in sync with changes.
As a footnote remember to deal with Cross Origin Resource Sharing (CORS) in your API project by using JSONP for example (https://developers.google.com/storage/docs/cross-origin).
If your are using Google Maps API v3, there is no need to use Google API Key. Simply use below script.
<script type="text/javascript" src="http://maps.googleapis.com/maps/api/js?sensor=false"></script>