I have a worker (servlet) called by a queue in google app engine.
I can call an external URI for reverse geocoding like: http://nominatim.openstreetmap.org/reverse?format=xml&lat=51.0475&lon=3.5323&zoom=18&addressdetails=1
But when I try to call the "The Google Geocoding API" with/without the key parameter: http://maps.google.com/maps/api/geocode/json?latlng=51.0475,3.5323&sensor=false, I always get the following message: Attempt to access a blocked recipient without permission. (mapped-IPv4)
The billing is active, the key is also defined in the dev console, and the URL with the key work in my browser but not from app engine.
Any ideas? Thanks
to avoid the issue, i don't use anymore the org.apache.http.client package but now i use the com.google.appengine.api.urlfetch package.
Now the URI to google also work
thanks
Related
First of all I want to use Google Places API for autocomplete. I have created API key and it works fine. I make api calls from client so I need to protect or restrict it. I tried to use HTTP restriction, but it doesn't work with Places API. There are recommendation in the docs to use IP restriction but it requires that some proxy server to make api calls. So which way is right? Do I need proxy server with IP restriction to make api calls? Or is there some way to make secure api calls from client?
Normally, when you are calling the requests from the Client-Side, it should be restricted via HTTP referrers, and IP address restrictions are used when you are calling the requests from the server-side which has a static IP address. If you're calling from the Client-Side and your HTTP restrictions are not working, it will be best to file a support case via https://console.cloud.google.com/google/maps-apis/support in order to open personalized communication channel as this must be an isolated case and might have something to do with your configuration in your GCP console.
I would also recommend to check the sample HTTP restriction below:
example.com
*.example.com
These two will allow your API key to be used in all subdomains and paths in your website.
I'm trying to deploy a Google Apps script via the Google REST API, and I'm using the API Explorer to perform that.
This is the method I am testing:
https://developers.google.com/apps-script/api/reference/rest/v1/projects.deployments/create
Executing the method via the API Explorer returns a 404 error. I have verified that the scriptId in question does exist, and have tried several other scriptIds, to no avail. I have also made sure the permission scopes are properly set.
This is what the API Explorer gives me.
Worth mentioning that the same scriptId works when calling another method such as projects.get.
Is there anything I am missing, or is this an issue on Google's end?
In case of the latter, what are the steps to contact Google Apps Script's team and inform them of this issue?
Your versionNumber is incorrect. The Requested entity here refers to the version of your script. You need to go to File>Manage Versions>Save New version to create a new version(or create one with the api1) and use that version number in the request body.
Check your authorization scopes. You need to have the following scope enabled:
https://www.googleapis.com/auth/script.deployments
If its not in the list of available scopes in API Explorer then you'll need to add it manually (there is an area at the bottom of the authorization dialog where you can add scopes).
Google's API Explorer uses API keys to authorize requests. In some cases an API key is not sufficient and an OAuth2 (bearer) access token is required. As an alternative you can create an Apps Script project and add the appropriate scopes via the manifest file(appsscript.json). Then you can use UrlFetchApp.fetch() to test the API directly.
I want to use from my android/ios app the autocomplete api. For this I need to call url like:
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=paris&key=<myapikey>
the problem is: What can make that someone else will not extract from my app my api key and use it for his own purpose ? It's important because at the end it's me who will be billed by google for the usage ...
Your intention is to call a Places API web service. Google Maps web services support only IP address restrictions.
You can check what type of restriction is supported by each API on the following page:
https://developers.google.com/maps/faq#keysystem
In order to protect an API key that is used with your sample request you should create an intermediate server and send your requests from this server. So your application should send request to intermediate server, intermediate server should send Places autocomplete request with protected API key to Google and pass response back to your app. In this case you can use an IP address of your intermediate server to protect unauthorized access with your API key.
I hope this helps!
What if you create and intermediate server and create a token for each single user, and also create a monitoring service which block suspicious behavior?
for example, a normal user would request x times/per day || hour || ...
Or
when a user runs application for the first time, application receives the [encrypted api + decryption key] and store them to a safe place like keychain(for iOS)
As I know, if you request directly to google-map-api there is always a way to sniffing packets.
I receive a 403 error in google maps API dashboard for the geocoding API after limiting the key to my domain. The geocoding works when the key is unrestricted. Currently I have the following as acceptable HTTP referrers:
https://website.com/*
https://www.website.com/*
This allows my basic javascript map and autocomplete forms to work on HTML pages. However, the geocoding is done through a python script that accesses website.com/markers (has no HTML page, just displays JSON data if you visit it). Is there a reason it will not work? The 403 error is what I see in the API dashboard, but I receive an internal server error message when visiting website.com/markers. When unrestricted, the dashboard shows response code 200 and I can see the correct JSON data. Therefore, I believe my code is not the issue.
Things I have tried:
Allowing “https://website.com/markers” as a referrer, as well as www. version of that, and http versions. Also used versions without http or https.
Changing to allow IP address of website (referrer not allowed error happens when I do this)
Double checking all references to API key in code. Code works in development and in production when unrestricted.
Double checked that all needed services are enabled in Google api console and not over quotas.
I have searched for this issue for hours and cannot find an answer, please go easy on me if I have overlooked something simple.
It sounds like you're trying to use the method of URL restriction intended for use with client-side web api's. In that case, the public URL of the site is used in the validation.
You want to use the IP address validation, intended for server-side calls.
The following is from https://developers.google.com/maps/faq#keysystem:
API Key: An API key is a unique identifier that you generate using the
Google API Console. API keys are generally used with the standard
APIs. Premium Plan customers1 typically can choose to use a client ID
or an API key. You can choose to use an API key without applying
restrictions (called a “generic API key”) or a key with restrictions
applied for greater security. APIs in any platform may use a generic
API key.
You can optionally add a restriction (for example, IP address) to the
API key. Once restricted, a key will only work on platforms that
support that type of restriction. Four types of API key restrictions
are available:
IP addresses (individual servers) - for use with the web service APIs.
HTTP referrers (web sites) - for use with the Web APIs.
Android app restriction (by package name and fingerprint) - for use with the Android APIs.
iOS app restriction (by iOS bundle identifier) - for use
with the iOS APIs.
You need a different key for the webservices. You can't apply both HTTP and IP restrictions on the same key. You need HTTP Restrictions on your Google Maps Javascript API v3 key and IP Restrictions on your web service key.
I have a cross-platform app with cordova , but now the google map is not working.
I have this error :
MissingKeyMapError
I try to create new api browser key in google console with "*" authorization url , but still not working. i have this error : RefererNotAllowedMapError
the window.location.href of my app is :file:///Users/bahri/Library/Developer/CoreSimulator/Devices/757EE924-9884-44B1-BBF5-04CFF3D68C80/data/Containers/Bundle/Application/820BF808-DFF7-4AB0-8BF8-179D278E90D5/com.taxiwink.taxiwinkapp.app/www/index.html
How can I resolve this issue?
As per today (15 Jul 2020) the following http referrers allows to show a Google map in a cordova app:
iOS:
__file_url__//var/containers/Bundle/Application/*
__file_url__//private/var/containers/Bundle/Application/*
(credit to yannisalexiou for having added the last one which works from iOS13)
Android:
__file_url__//android_asset/www/index.html#/*
__file_url__//android_asset/www/index.html
cordova simulate (eg: simulate ios --target=chrome)
127.0.0.1
localhost
the referrers go into the Google Console API management (API-Project, credentials, referres) at:
https://console.cloud.google.com/apis/credentials/key/abcxyz?project=api-project-123456
NOTE: developed from the answers here https://github.com/wevote/WeVoteCordova/issues/55
MissingKeyMapError Error
The script element that loads the API is missing the required authentication parameter. If you are using the standard Maps JavaScript API, you must use a key parameter with a valid API key. If you are a Premium Plan customer, you must use either a client parameter with your client ID or a key parameter with a valid API key.
See the guide to API keys and client IDs.
From :
https://developers.google.com/maps/documentation/javascript/error-messages#deverrorcodes
https://developers.google.com/maps/documentation/javascript/get-api-key
Also:
Registering authorized URLs
To prevent a third party from using your client ID on their own website, the use of your client ID is restricted to a list of URLs that you specifically authorize.
To see the URLs you have already authorized or to authorize additional URLs:
Log in to the Google for Work Support Portal.
In the left-hand menu, click Maps: Manage Client ID.
You can add up to 100 URLs at a time, to a total of 3000 URLs. If you require higher limits, please contact support.
HTTP and HTTPS protocols are considered different URLs.
For example, if https://example.com is authorized, http://example.com is not necessarily authorized. If you'd like to authorize both at once, you may add a domain without using a protocol: example.com/
You should empty the list of authorized HTTP Referers for your key, in the API Console. This should make the map succeed (after a 5-min propagation delay).
Related issues (it's suggested to "star" them to get an update on their resolution):
Support API key restrictions with file:// referers
Google Maps
API error: MissingKeyMapError when loading from file://
UPDATE
Good news, now you can use file:/ referrers. You can see the following text in the documentation
file:// referers need a special representation to be added to the Key restriction. The "file:/" part should be replaced with "__file_url__" before being added to the Key restriction. For example, "file://path/to/" should be formatted as "__file_url__/path/to/*". After enabling file:// referers, it is recommended you regularly check your usage, to make sure it matches your expectations
https://developers.google.com/maps/documentation/javascript/get-api-key#key-restrictions