I've been trying to use the google sheets api key to get data from a spreadsheet I created. But the thing is that I've failed many tries.
I know a way to do this, and it's using the credentials.json and the OAuth2, but with this method, when I run my program, it redirects me to the browser for an authentication. And that's something I donĀ“t need.
My development is back-end and of course I don't need any authentication in any browser.
So I don't know what else I can do because when I try to use the URL "https://sheets.googleapis.com/v4/spreadsheets/{spreadsheetId}" after getting the API KEY, I receive errors like "the caller does not have permission".
I read that to be able to use the api key with google sheets I must make my spreadsheet public but that's something I don't want to, I can't make my spreadsheet public because it contains sensitive information.
If anyone can help me I'd really thank you..
Related
I'm building a service that provide some readonly information that is going to be used in multiples websites, some with login and some public.
I dont want to make the api public to any website so I'm not sure what auth method i should use. I have some ideas but I don't want to reinvent the wheel.
I was thinking on have the backend of this sites request a token to my server using a secret/password/private_key then they should pass this token to their front end and pass it with each request to my server(their front end will comunicate directly with my API)
If your public non-authenticated API is accessible by your site, there's no way to stop other people from consuming this API and stealing your data.
You can stop other websites from directly taking data from your API (by not using CORS headers), but if your website is showing data from your API publicly, then assume anyone else can.
If your business relies on not being possible, rethink your business model. If data appears on the screen of a random user, it means that user can take that data and put it somewhere else. It's how the web works.
I totally agree with #Evert. Having said that, there are some ways you can use to make public API accessible to some and not to all. It will not be perfect, and using some kind of API tokens will be a better solution most of the time, but it might suit your needs.
First of all you can use firewall rules and allow connections from certain IPs only. Simple and will work as long as the source IPs do not change.
Another idea you can use: look at youtube and how private videos work. There is a secret in the URL. With enough entropy you can build publicly accessible URLs this way which can be used to share a simple link with friends, but will be hard to guess by others. There are drawbacks to this technique. You may only allow people to share their content this way, as they have always the rights to make the link public by pasting it into their tweeter/yt/other.
I'm using web api for my application on ASP.NET CORE
If someone see application soruce code, there is a backend url, isn't it?
Then, that guy can use my api if he succeed my application decompile
How protect that situation
I'm just stutdent, so... Just my curiosity
Authenticate your API
If you plan on having a private API (not open to everyone), then you should force users to authenticate themselves by using an API access token. Each token should be specific to a particular user, and there should be consequences for distributing a private key (such as revoking it and blocking the person associated with it) or else people will just share them without care. This will allow users to communicate with your server and run commands or queries as they please. Assuming you have written these functions correctly, they shouldn't allow an attacker to access much beyond his given scope of given API functions (which should be queries at most).
Document, document, document!
You shouldn't allow users access to your source code for this. You should document your API thoroughly regarding details which methods the user can use, what sort of data it expects to receive, and what sort of data you will get back from it (including all errors, possible problems with the users request, and how to fix their requests). Make sure you heavily test these too, and make sure that you can't perform any sort of malicious actions with your API. It's also a good idea to give your documentation to another person and ask them to read it. If you've missed something important, you will know afterwards because there will be a clear gap in their knowledge of the API.
What, not how
Users should know what a function should do, but not how it does it. For example, I could use /api/GetUserById. I should know that I can get a user - I shouldn't know how it gets the user. The only thing I need to know is that I perform this call and I get back a json object with details about the user. That is it.
As with any of my posts, if there's something I've missed or something you need further clarification on, please let me know in the comments and I'd be happy to explain further. I hope this helps
I would like to create a spreadsheet that allows my users to do bulk uploads to my App Engine application and I would like to do so whilst exposing as little of my app to the world as possible.
My constraints are that I would like this to work via a button in Excel that turns the data in to http post requests, I like this as a plan as it means I can write the logic for one row and then the http response can validate to the user if the data has been accepted or generated an error.
I think I see two options;
Use a secured handler that forces the user to be logged in with their Google account - but this means figuring out how to implement communicating the authentication to Google. This also means my VBA code handling the user's password which I am nervous about.
Use a secret, this can be generated by the application so that only a user can access the code for which they have to be logged in to find.
Questions:
Which approach should I take with my application?
Is Option 2 materially less secure?
What can I do to make option 2 a better solution?
Should I even bother attempting option 1?
I am trying to do an app that requires google spreadsheet API, however it looks like I can't enable it from the console. Therefore, I can't ask for the permissions to the documents.
I know that it is possible, because I found this playground: https://developers.google.com/oauthplayground which asks for permissions for Spreadsheet API, but I just don't know how they did it.
Can someone help me, please?
You need to use OAuth2 with the https://spreadsheets.google.com/feeds permission scope. If you would like to create new spreadsheet file in the user's Drive, then you also need the https://www.googleapis.com/auth/drive scope.
See this for more on the Spreadsheet API and this for Drive.
I want to display a user's wall feed and news feed on my site. How can I do this?
Is there any way to pull the feed without having to get an authorization token?
If I need a token, how do I get that?
The proper (I would go so far as to say "required by Facebook's terms and conditions") way to do this would be to get an authorization token, which involves a pop-up div asking the user if they would like to permit your site (application) to access their information.
You can customize the level of access you'd need and they would be prompted only for that. By accepting, you'd be able to access a token within their cookie. Armed with that token and your application ID and your "application secret" you can make requests to the Facebook Graph API for any data you'd like. (You use the application secret to decrypt the user's cookie, from which you obtain the access token to pass to Graph API requests.)
It's not as simple as just scraping their wall and displaying it, you'd be responsible for grabbing the individual pieces of data and organizing the display.
Edit:
In response to your comment, here is a quick tutorial for working with cookies in .NET. A Google search for "ASP .NET cookies" or "VB .NET cookies" will yield much more as well. There is an example (in PHP) here demonstrating how to decrypt the cookie. I haven't found any .NET examples, but the code here is pretty straightforward. The cookie name is "fbs_" + your application ID.
It appears to be a delimited string, so just read in the whole thing in your debugger and see what the value(s) look like. The value you want appears to be called "sig" (but, again, debug to make sure) and it looks like they're using an MD5 hash to obtain it. You can read up on what the md5() function in the PHP code is doing here and it should be easy to find a .NET analogue for that.
Once you have the access token, it's up to you how you want to get the information. I'd recommend doing it all in JavaScript just to offload the whole thing to the client's browser, not to mention that most samples you'll find online (such as in Facebook's API documentation) will be using JavaScript. But if you want to do it all server-side, Facebook's C# SDK will be of some assistance. You basically pass it the token and the Graph API path you want and it returns a JSON object with all the data.