I can login with
<script src="https://accounts.google.com/gsi/client" async defer></script>
I have created an api key for google drive on the console dashboard. According to Drive js api. I should not put the key in a public webpage.
Is there a way to get my api key from after logging in with the account that owns the key via javascript?
An api key is used for accessing public apis. Unless the file you are trying to access is public you are not going to be able to access it. That tutorial also tells you to create Web application. Which will allow you to authorize your user to access their data.
Is there a way to get my api key from after logging in with the account that owns the key via javascript?
Api keys and web application credentials as which that tutorial shows you how to create are owned by you the developer. They are used to request authorization of the users of your application. So no there is no way that the users of your application could give you an api key that must be created by you the developer.
Restrict your api key
due to the fact that javascript is client side if anyone does a view source they are going to see your api key. That is why it is a good idea to setup restriction for your key in Google clound colsone
Apikeys
There are a number of ways to restrict your key
You can restrict it by API restrictions limiting what apis it can be used for.
You can set up Application restrictions which will limit things like what websites it can be used from or an ip address.
A key in production should always have restrictions applied.
Related
I am currently working with the Google Analytics API. I have implemented ga react package, so the analytics tool can show me the required data.
As per my understanding, Google uses OAuth 2.0 to identify the user and grant access. As my application has it's own user(s) and every user is not available in google.
Is it possible to access the Google analytics API inside my application?. API should get called using an only the API key.
So is it possible to access Google analytics API with the only key?
First off let me start by saying im not sure i understand this statement
As my application has it's own user(s) and every user is not available in google.
I am going to assume that you are trying to show the users of your application the analytics data from a single analytics account which they dont have access to.
API Keys
Api keys are used to access public data only. Public data is data that is not owned by any user. Public Videos on YouTube, Google analytics meta data API, Holiday calendars on google calendar these are all examples of Public data not owned by any user.
Private data
In order to access private user data you must have the permission of the user who has access to that data. Google analytics data is private user data you own the data associated with your account. In order for your application to access that data it must have your permission to do so. Permission is grated using Oauth2.
If you will only ever be accessing your own account and you will not be accessing data owned by other users then you could consider using a service account. Service accounts are dummy users you can share your google analytics account with the service account there by preauthorizing its access and it will then be able to access the data without needing to be logged in all the time. The issue with service accounts is that it cant be used client side you will need to use server sided code for this. I am not a react developer so im not sure if thats one of the JavaScript frameworks that can also run server-sided or not.
I have web app with html/js. Integrated Google Picker library for gdrive. In browser dev tools/source code: developerKey, clientId, appId are being exposed. Does that pose any security risk(1) or those can be public? If not, what are possible ways to hide it?
(1) I've limited developerKey in Google Console to be used only for gdrive and nothing else.
There's no security risk because those can't be used to authenticate to your account or get private information, but someone could use your API key to make requests to Google APIs that exposed public information (Google Maps for example) and be charged for those quota expenses. To prevent that quota "theft" you have 2 options:
1) Follow the Google guidelines to restrict your API key to be used only from a specific URL or certain IP addresses.
2) Set up a backend service to authenticate each user in order to get the API key as explained in this answer.
I'm writing an app in JS that fetches Google Calendar events using Google Calendar API. I've already generated an API Key and Client ID - do I have to do something to try and 'secure' them? Their tutorial puts them directly in the JS file (https://developers.google.com/calendar/quickstart/js), but then I dig further into the dev docs (https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key) and it says not to embed the API key into the code...but that could just be for paid API keys?
I'm writing this mini webapp for a class so I only need it to work for like 6 weeks. I'm hosting it via GitHub Pages, and it was the one that alerted me about the API Key when I pushed the code.
Bottom line - is it safe for me to embed the API key into the JS code that gets pushed to github and made publicly available (so I can have just a frontend and use GitHub Pages)? Or do I need to take some kind of preventative measures?
Thanks in advance!
Api key is only used for accessing public data. For example you could use it to access the Google Calendar public holiday calendars. That being said yes you should keep your api key secrete and not share it but google is aware that this is not possible with client side languages like JavaScript so i have never heard of anyone getting in trouble for leaking their api key by having it in a JavaScript application.
This warning is mainly means that you should not put it in a GitHub open source repository that anyone can download and then run. You must instruct people how to create their own.
That being said if you are trying to access private user data then you should be using Oauth2 to authenticate your users and this you can lock down to only your domain due to the need for a redirect uri. As you say you have created a client id i suspect that you have already done that. Apikey in the javascript code isnt strictly needed if you have added the client id for oauth2.
I'm trying to use Google Analytics API in Javascript. I want to:
Query Data for a specific website (under my control)
Use the data to build an open-to-the-public dashboard
Every example I can find requires you to use OAuth to authenticate before you can query data. Because I only want to query (not delete/modify), is there a way to use a simple API Key to grab the data I need?
Yes and No. The Google Analytics Core Reporting API is an Authenticated API and requires the use of OAuth2, authorized with the appropriate scope:
https://www.googleapis.com/auth/analytics.readonly
The API key simply identifies your Google Project, it does not necessarily grant you authorization to read the data of your Google Analytics Accounts, even if that account is associated with the same Google Login. The API key is usually public and lives on the client browsers, it would not be secure to grant access to anyone's Google Analytics Account data simply if they had access to a particular key.
What you are going to need to do is use a service account to access the data. Take a look at the Google Analytics Demos and Tools site. There they have a really good example example of using a service account server side to generate an access token and then has the JavaScript Client library make the final request. Alternatively you could build something akin to the Google Analytics Super Proxy which can query the API on your behalf and generates a public URL which can then be queried separately.
I'm getting ready to launch an Angular/Node web application which uses the YouTube V3 API. The app was released about 3 weeks ago as a "beta version" for market validation and was pretty successful in beta. It's not going to be a commercial success, just a fun app that makes peoples lives a little bit easier. I have one issue/concern, should I be hiding my YouTube V3 API key, client id, and scopes? Or can I assume that since only my domain name is whitelisted, that the potential hackers/people who try to use the API key, won't be able to make any calls or do any damage so therefore I have nothing to worry about?
These are the specific calls I'm worried about (not the real ids/keys)
Index.html Script Tag
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
In Angular, Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
For Simple Access to Google APIs, API key is the only credential required for the request, and it is a unique identifier of your app/project. It provides API access and is subject to quotas.
You should keep it a secret!
If you have a client-side-only app (without a server), then use OAuth 2.0 Client-side Flow
From Google's Documentation:
Best practices for securely using API keys:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
Do not embed API keys directly in code
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
Do not store API keys in files inside your application's source tree
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
Delete unneeded API keys
To minimize your exposure to attack, delete any API keys that you no longer need.
Regenerate your API keys periodically
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
Review your code before publicly releasing it
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.