How to Hide Google API Key And Still Use It - javascript

I am currently hosting a website on GitHub. I want to be able to use the Google Sheets API to read data from a google spreadsheet in node js. Is it a security risk to push code with the API key? Is there a way to hide it on GitHub but still be able to use it?

Use this module https://www.npmjs.com/package/dotenv
Set you API key in a .env file something like this
API=sds1sdf13s21f23sd1fs1d3f21
and access it via process.env.API
and add the .env file to the .gitignore

Related

How to commit to a github repo from a website (IN BROWSER) using javascript

I have a website that needs a JSON file to display a sort of timetable that's hosted on GitHub pages. People who do not know what javascript or GitHub are need to be able to change that JSON file each week.
To solve this I've created a website that reads data from a google sheet they can edit, and turns it into a js object at the click of a button. I now just need to get this object from the website into the JSON file on the first GitHub repo, but I have no clue how to do this. I know you can use the GitHub API somehow, but how??
P.s. I know making the token built into the website is a security risk which is why I plan to only put tokens in the google sheet, which requires the user to authenticate a google account before being accessed.

Post Website On Github Pages Without Exposing API Key

I created a ReactJS movie website with TMDb movie API and my website fetches data from TMDb server which requires an API key. I have created an .env file and put my API key there and then I added that .env file to my .gitignore file, but now I want to publish my website on github pages without publicly exposing my API key, please help me by suggesting solution to this particular problem.
I have found many questions regarding how to hide my API key, but here, what I am asking is that, how to publish my page with my API key not being publicly accessible.
Depending on your usecase, you could use GitHub actions and GitHub secrets to achieve this.
The action could fetch data from the API, making it available during the build. This would almost be like cache warming, fetching upstream data and storing a static version closer to the client. Depending on your usecase, I think something like that would work.
Github Pages are supposed to be public for community/free tier.
Remove the API key from the code, where ever it is. Store API key as a variable in Github Secrets.
https://docs.github.com/en/actions/security-guides/encrypted-secrets
And then, reference it during pipeline build with ${{ secrets.API_KEY }}
Update your .env file with this key.
Add .env to .gitignore

Is there a way to use Google Drive with JavaScript without Google Cloud Console?

I'm looking for a way to use Google Drive to share data between a Android app and a web page hosted on my server. The web page should use JavaScript to retrieve and store data in Google Drive.
The data should only be exchanged between the browser of the user and Google Drive.
According to the documentation of accessing Google Drive from JavaScript you must first create a application using the Google Cloud Console, register it and get a client ID before you can use JavaScript to access the data.
I don't want to have to maintain a Google hosted application. Is this possible?
The only point of apis console is to register your applicaiton or in your case script with google. Its baslcy just there way of keeping track of whos accessing what i think. Once you have it registered you normaly would use a clientid and stuff as well as Oauth2 to allow users to access there google drive with your script. But you wont need to go into that becouse its your application thats storing its data there and not a user.
You will probably want to look into a service account.
https://google-developers.appspot.com/drive/service-accounts
If you want to use private spreadsheet then you have to use authentication, in this case google project is easiest one. If you don't want to use private then you can publish your spreadsheet and then make ajax call without authentication/goole project.
You're not the first person we've heard this complaint from. People want to be able to log in and create an API key without having to deal with extraneous cloud services. We're working on some things to make life easier for customers like you.
Unfortunately there is no way to do this at the present time. That said, you don't have to actually maintain a separate application. You can create a project and only use it to manage APIs.

Accessing a specific Dropbox user's folder within our company using the API?

We have a team Dropbox account here at my work and we all have our own company Dropbox accounts with username/emails like *.domain.com. I've been assigned the task to create a nice web interface to a certain selection of assets that are stored in one of our designer's Dropbox folder.
The task is to build a Node JS app and use the Dropbox API to read these files to build a nice interface to the files in that designer's Dropbox folder and do some other cool stuff. It's not sufficient to use the public viewing or sharing of that particular folder which Dropbox allows. We need something custom and it needs to really use the API for full control.
The thing that is confusing for me why I just can't seem to get started, is setting up the API access from Node JS to give me access to that designer's folder. I don't mean what code I need, but just the step by step of what is involved. I just can't seem to wrap my head around having app that will access that one particular company user's Dropbox folder.
I was starting to use node-dbox SDK to access Dropbox API from NodeJS and was messing around with their example to auth in the README, but the flow doesn't seem right to me? The API seems based around allowing access to the app, having to go to an external app etc. But that doesn't seem right in this case? I know which specific user's Dropbox I want access too, and I just want to app to access it... It's all trusted as it's within the company.
What are the steps involved in doing this? I'm really stumped!
You'll need to have the target user authorize your app once via OAuth. At the end of that OAuth process, you'll receive an access token that you can use to access that user's Dropbox. You only need to do this once, and then you can just hardcode that access token in your app.

Google Drive API & Google Realtime API - Can I place a realtime file in the app folder?

Using the Google Drive API and Google Realtime API (via JavaScript):
I can create a realtime file without providing a parent. However when I attempt to set the parent as "appdata" I receive this error from the API:
Only folders or files with content stored in Drive are allowed within
the appdata folder
It's a little vague perhaps a realtime file is not considered having contents?
So my question: Is it possible to place a realtime file within the app folder?
Through further investigation I have managed to find the answer to my question.
Actually, unfortunately you cannot currently place a realtime file
within the appdata folder. This is something we are looking at
adding, but in most cases it doesn't make sense since the content of
the appdata folder is restricted to a single user.
Cheryl Simon on Google Drive Developers - https://plus.google.com/communities/107264319205603895037

Categories