I've built an app with vanilla JavaScript that searches for nearby dogs to adopt. It uses the Petfinder API, which is free. Anyone can request one. After doing some research, I've found that you cannot hide your API key and secret (without your own server, if that's correct).
So should I just go ahead and publish this website? I'm buying a domain for it and using my existing hosting. Are there any risks with having this info out there?
The app does not take in any personal information. Just searches dogs by zip code and distance, and displays info about the dog and where to contact.
I'm a beginner with this stuff, as this is my first API project.
Not hiding your API key and secret may result in others using your API for free which is possible abuse to you if you paid for it.
Attackers might use your credentials for attack and the blame goes on you.
If the API you use works on GET requests and is a feature of some public application, others can easily get your API key anyway.
Given the nature of API you're using, hiding the API key might not be necessary.
Anyone that can get to your api key and secret can then access that api and pretend to be you.
Related
I created a HTML5 app that is using the YouTube Data API v3 and want to put it on itch.io
When I do this, the API key will be in some form in there, so people could find it (yes I could try to obfuscate, but that only makes it harder to find the key, not impossible).
So I want to restrict the project / API key as much as I can to prevent someone from misusing the key.
I hoped that I could somehow restrict it to only allow reading access (because that's all the app needs, it just queries view + like count and comments from videos), so nobody can use it to write a comment in my name or something like that. But I couldn't find that option.
What I could do so far is
I restricted the key to only use the YouTube Data API v3
I restricted the use to HTTP referrers and to the website https://v6p9d9t4.ssl.hwcdn.net/
That last domain is the place where itch.io puts the app. But if someone would take my key and put their app on itch.io as well, that would be the same domain, so it doesn't help, really.
Is there another option to make this more secure, that I haven't found? The only thing I can imagine now is, to write a service or FaaS that my app calls (without any key) and that then calls the API. But I would like to avoid that.
There seems to be a lot of documentation lying around everywhere about how to use Google Cloud Platform and its fancy AutoML service. But I couldn't find anything that is solving my problem of trying to get a prediction from a trained model on AutoML via a local website. The website code is in this link: https://pastebin.com/xsfkYf6C
All I get in return from uploading an image and clicking "process" button on this site is:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I surely have made some mistakes somewhere, but I'm completely clueless as to how I would fix this or maybe because I'm just too dumb to figure it out yet. My research has yielded none to very little results. This article might be of some help to clear things up about AutoML Restful API: https://cloud.google.com/vision/automl/docs/reference/rest/v1beta1/projects.locations.models/predict
Appreciate any of your suggestions and code fixes.
Thanks so much and have a great day!
You need to pass your api key to REST API call like this:
https://automl.googleapis.com/v1beta1/projects/a...1/locations/us-central1/models/ICN...1:predict?key=API_KEY
To create an API key you need a Google Cloud account since it's only free up to a certain point and then you will get charged for.
Therefore you should secure this key and make sure it is not visible publicly(so don't put in your html source code, backend should handle this call).
More details here
The error could mean that you are using an API Key or the token you provided is wrong/malformed. I think that creating a token using Playground, ServerSide, Javascript, etc. will fail due to there are not OAuth2.0 scopes for AutoML, maybe because is still in beta release.
Keeping in mind that a token generated from gcloud it works, I can suggest generating programmatically a token impersonating a service account to generate the token, this example contains all the pieces of the puzzle. This means that your user could generate a service account token on behalf of your service
Points to consider when executing the code:
Enable the Identity and Access Management (IAM) API.
Update the code according to your own configuration, project and json file.
Use the generic scope: https://www.googleapis.com/auth/cloud-platform as the jwt_scope.
IMPORTANT: The python code it is using urllib and httplib, which means that it could be translated to a POST requests with some extra effort (to be used in your javascript)
Let us know if it works for your specific use case!
So apparently, Facebook collects huge amount of data from user, and not just from hitting the Like button, but also the amount of time that user has spent looking at some post by someone ( reading friends status update ). Is there a method to see what am I actually sending to Facebook and when (time is relevant). Can I view those requests in Windows 7?
Is it possible to do reverse engineering on this particular topic?
This will be available in all browsers but if you have access to Chrome then go to "View" and then "Developer" and then "Developer Tools".
From here select the "Network" tab.
You can then see all traffic travelling between your browser and the internet. You can filter this list down based on the Domain Name, e.g. facebook or any other aliases they use.
Click on any item in the list and then you can see the request and response.
This should help you to get started.
It's not that simple..
Facebook will use their own format, not like the most simple aka REST / JSON applications.
Facebook is making it very very hard to read/understand their APIs, obviously...
They will use some kind of their own binary data implementation, so really if you look at the post data, its just number, some (maybe) encrypted token like data, stored in a base64 format.. what ever..
Additionally, FB is using a lot of AI processing, this is no rocket-science anymore.. The internal APIs could also work based on that. So reverse-engineering FB makes no sense. Just write you own.
I also think, that many very good IT specialists are already trying it. Companies like FB will also make internal contests on this topic, to make their APIs even more secure. Actually, if you do some Online Banking, you will find more useful information on what data was send, then on FB.
I'm making an open source Node module that will require access to each user's private Google Drive files. I've been trying to wrap my head around all of these different authentication types, and have come to a road block. From what I've gathered, there are two primary types of authentication
I, the library author, provide in my library the public and private keys necessary to authenticate each user with OAuth2. This means giving them a URL to go to to give my app permission to access their data, and have them copy and paste an access code back into their terminal. I was able to run through this tutorial and get it working, but this method seems dangerous, because of the keys I have to package with my library, and unnecessarily difficult.
Have the user go to the Google API console, get their own API key, and provide that to my library through some sort of configuration file. No URL redirection, no copying and pasting, just some private credentials that only they have access to.
2 sounds a lot better to me: This library has absolutely nothing to do with me once it's in the user's hands, so it feels incorrect to have them authenticate with me. But from what I can find, the only way to do this with Google's API is to create a Google Service account, download the JSON they give you, go through a flow similar to the top comment on this blog post, and then manually give the service account email access to my personal Google Drive files. This seems hacky, and a lot of work to gain access to my own private data. Is there a better way to go about this? It seems strange to me that this fairly standard flow in other APIs is only available in Google's API through service accounts, but maybe there is a way and I'm just not seeing it. I'm fairly new to authentication, so any help at all is appreciated. Thanks!
First off I want to say that you cant release your open source project with the client id and client secrete that you created on Google Developers console this is against googles terms of service.
1.Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep
your credentials confidential and make reasonable efforts to prevent
and discourage other API Clients from using your credentials.
Developer credentials may not be embedded in open source projects.
My Answer on another question about exposing client id in open source projects.
Second you could instruct your users to use either Oauth2 or a service account or both its really up to you.
If the user will only be accessing their own data and wont need to access someone else's data then they can use a service account you will need to instruct them in how to share a folder on Google Drive with the service account. However from your side permissions can be tricky when they are uploaded the service account will own the file uploaded to the users google drive account you will need to have the service account add permissions for the user so the user will then also be able to access said file.
The easiest way to go will be Oauth2 when the code uploads files they are owned by the authenticated user so you wont have the same permissions issue you had with a service account.
I'm trying to create a webpage that can incorporate LinkedIn info's (profile,people,company, etc...).
The things that it can/would do are the following:
When the user enters a name that is registered in LinkedIn, he gets the following
*Name, Company, Email
*List of LinkedIn messages that are waiting for reply
The same process goes on everytime the user adds a profile, I'm planning to use the Profile API of LinkedIn to get the Name, Company and Email but I can't find a working example to be my basis.
As for the 2nd one I still don't know how to get the LinkedIn messages.
Here's my Layout and expected result.
How can I achieved this? Opinions and Suggestions are highly appreciated tnx
This is far to broad a question for me to invest the necessary time in to figure the answers (multiple) for you, but do let me give you some hints. First of all, from my experience with the linkedin API not all the data you wish to access is available (do double check this though, I used the API quite awhile back and stuff might have changed in the meantime). As this data is not available through the API the only alternative would be to somehow bypass the cross domain policy, which in conclusion would require the user to install a chrome extension/firefox plugin which will function as a proxy for your application or even 'better', make you entire application a browser plugin based web app. Not that I am a fan of those whatsoever but if you application is meant in any way whatsoever as a linkedin (dedicated) plugin (probably as part of a greater service you're developing) then it might make most sense.
The whole system you are describing is very long winded and requires a large amount of development time. Alot of the data is not accessible directly or indirectly too. You cannot get email address's out from the API as a security feature (bots could just harvest emails for marketing campaigns).
First of all, you will need to make an application that allows for oAuth2 connections with the linkedin API service. People will log onto your website, click to join their linkedin account with your website and your website will receive back an access token to do the calls.
You will then need to build the queries which will access the data you require. The linkedin API documentation (http://developer.linkedin.com/) isn't greatly indepth but it gives you a good understand and points you where you need to go. There are also a couple of pre-done php API's around such as https://code.google.com/p/simple-linkedinphp/.
I have worked with many API's from twitters, facebooks and LinkedIn's and they all require a lot of back-end work to make sure that they are secure and get the correct data.
It would take me hours to go through exactly how to do it and has taken me many hours to get a solid implementation in place and working with all the different calls available.
If you have minimal coding knowledge, it would be best to go to an external company with a large amount of resources and knowledge in the field who can do it for you. Otherwise it may take many months to get a working prototype.