So, Google Places API allows me to receive JSON data through a Google Places API search using a simple:
"https://maps.googleapis.com/maps/api/place/search/json?location=-33.8670522,151.1957362&radius=50&client=clientId&sensor=true_or_false&signature=SIGNATURE"
(note, includes signature/key).
Why does SimpleGeo not allow this same feature? Is it possible? What is the purpose of all of this server side code that SimpleGeo uses?
Regards,
Ryan
SimpleGeo has recently announced a JavaScript SDK, which includes a JSONP API. This should allow you to do exactly what you're asking -- requesting read-only information from their Context and Places APIs purely from the client side with a simple key to authenticate the request.
I think there are still plenty of purposes for accessing SimpleGeo's data from a server-side application -- not all developers are writing purely JavaScript client-side applications -- but I agree that this new SDK will help a lot of developers.
Also, if you're looking for straightforward REST access to JSON resources without any client libraries, that's also present. See SimpleGeo's documentation on API endpoints.
Related
I am aware that you can create and delete incoming webhooks using the ReadTheDocs UI (for GitHub, GitLab, etc. integration), but I need to be able to do this without accessing the UI to automate the process. Is this possible? Or will webhook management be added to the API soon?
The API v3 documentation does not list an endpoint to add an integration. Therefore, at the moment this is not possible.
For feature requests, it's better to open an issue upstream.
Does anyone (you know who you are) know exactly what is disappearing when Autodesk deprecates the /v1 equivalent of the ModelDerivative API?
I've taken care of everything that was in the blog post here:
https://forge.autodesk.com/cloud_and_mobile/2016/09/autodesk-forge-apis-migrating-from-v1-to-v2.html
But I also have some calls such as:
/viewingservice/v1/:URN/status
and:
/viewingservice/v1/items/:dbpath object_ids.json.gz
That were not specifically mentioned. Will these also need to be modified?
These endpoints will no longer be valid. The status of a translation can be obtained by using the GET :urn/manifest endpoint.
We have official SDK's for multiple programming languages that will make it easier to handle the REST calls.
To download the derivatives of a model, the SDK's do not expose direct methods so you actually have to issue the calls "directly". Take a look at the extract.io sample that expose the full download workflow, more specifically there.
Hope that helps
I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.
Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.
Personally, I'd also obfuscate the source when building prod version.
Hope it helps
I am an amateur website developer but proficient in html and javascript.
I have a handful of websites using the Google Maps API V2 with no problem. I tried to upgrade to V3. I got a new API key and used the sample html (based on Australia) provided by Google. All I got was the 'disabled' message.
If I remove the key completely it works! What am I doing wrong?!! (www.gn45.com/gmap.html)
This message appears, because there's a particular domain whitelist, that is configured for each business account. By default, you can always access google APIs with an API key from localhost, but any other domain should be specifically set within account management.
With the mobile application, your index.html is read from the filesystem and then passed to in App Browser. Therefore google rejects a request to the API with API key. You can temporarily remove API key from your request and access the API without any, this way you'll have a 50k request/month limit, which should be sufficient for development purposes.
I'm looking for a way to configure this myself, as soon as I find one, I'll provide an update.
I'm writing a client side interface for the Google Data API, whilst trying to avoid using any proprietary Javascript SDK on offer.
I have made successful XHR2 and JSONP GET requests, but am drawing a blank when it comes to POST'ing multipart messages with files attached. I see from prying into the Javascript SDK that its using an iframe and proxy.html and presumably postMessage to circumnavigate the same origin issues. I am unaware of a way to detect postMessage's communications.
Is the XD postMessage hack documented anywhere?
Thanks
Andrew