So i'm building an app on appcelerator that uses Google Maps API to show some information on Maps (for android).. I've read all the tutorials, and instructions from Google Developers Console about requesting an API Key. As far as I know, an API Key depends on a SHA1 Fingerprint of the keystore you're using to test your app. That's just fine, I got my API Key and everything works on my Development environment.
The problem is that my boss, at the moment of testing, can't get to see the maps, I think cause his "dev_keystore" SHA1 defers from mine, so there must be an Authentication problem. (that i know right)
But what bothers me the most is that there is another app that he (or someone on his team) builded, I get that app to my development environment, runs it with his API Key, and it works... even using my dev_keystore i guess...
So my question is: is it possible to create an API Key that works on every environment, regarthless the key_store SHA1 and stuffs ? I mean, how in hell is that API Key configured that works fine on my computer, as well as in his.?
Ok, i figured out what's going on.. The default keystore that comes with titanium studio is the same for every installment of it. So the other developers might have (and the did) created an API Key for those apps with the default keystore, and that's why it is working on every environment.
I bet that when my boss tries to publish that app, it will not work at all. he'll need to create a more app-related API Key, but that's another story to tell.
Related
I have a few questions regarding ShopifySharp package and Shopify Custom App and Private App.
It has a warning that says:
Some of your private apps and/or admin webhook subscriptions may not work as expected because they are using deprecated API versions.
It also has say, private apps need to be updated before January 1, 2023.
To give you an idea, we created an application in C# built using ShopifySharp. It has been working for years already. It has API Key, password, and domain to connect to, to get the essential data from. It's understandable. Now here comes the confusion. I created a new app in Shopify by clicking "Create an app" in the Settings, putting the name, etc. So, it now says it's a Custom App below the app name.
It made me confused because I don't know if I'm going to replace the old Private App with the new Custom App and use its credentials.
I also don't know if those credentials I am seeing is what I am going to put in my C# application, like the API key and secret key. I don't even know the use of "Admin API access token". I am new this Shopify thingy by the way but I have been developing and updating the C# app but I was just concern on the API key and password in the Private App.
I am also seeing Webhooks subscription default to "2022-10" but I don't know what to do with it.
I already asked the ShopifySharp maintainer but I am not satisfied with the answer. All I have to do it to change the https://myshop.myshopify.com/admin/api/2020-07 to https://myshop.myshopify.com/admin/api/2022-04? Is that all?
Recently I deployed an app to the internal testing track in the play store. I had to fix the app package name to do so - my mistake naming it poorly in development - and it may be responsible for breaking something, mysteriously, in the Google OAuth system.
The error that Google displays is useless... It tells me I violated a policy! But not which one. It just says something about the redirect_uri.
I've been staring at the message "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure." for days now, tearing my hair out. Apparently almost nobody else has seen this message, and it's not documented.
I had suspected I was using the wrong SHA1 certificate, but though it may have been incorrect, fixing it has not helped it.
Using the old (pre play store) package name in the cloud console works in dev, but not in production. Yes, I have a separate client id for the dev (signed with the default SHA1 for local dev) and a client id for the play store signed app... I'm pretty sure I've got it right now, though again, no details, I don't know. There's a reason I'm so obsessive about error codes and exceptions when I build software myself!
The only thing I've been able to do to change anything is by manually messing with the redirect_uri that expo-auth-session sends to Google, which sometimes causes a redirect_uri_mismatch... This indicates to me that the redirect_uri I'm using is a match? Meanwhile, redirect_uri_mismatch is a documented error code, but not redirect_uri.
What makes this more annoying is that apparently Google cloud OAuth config can take a long time to update, apparently up to a couple hours, but I have no idea when it's updated... So I can't tell if I'm testing against the propagated config changes? Huh??
I happen to believe that the lack of diagnostic info itself is a bug (how can you debug an opaque failure? An undocumented error?), But it seems like Google does not agree?
If it's helpful, I've been using Google OAuth for a year now for the web app part of this project... Never had this problem. I'm ready for launch. This is the only thing blocking. What am I to do?
There is a similar discussion about the Nest app, but that is attributable to the phase out of unsafe schemes: https://community.home-assistant.io/t/nest-authorization-error-error-400-invalid-request/399388
I am facing some weird issue in Shopify app development. I have created app which is working fine on Development store. it is able to add some data on development store.
But for testing purpose I have offered this app to the merchants to test this app on their live store having activated Shopify Paid plan. But app can not add any data. Post/Put requests are auto converted to Get requests.
I have created couple of apps those are published on App store and in past they were being used by Active Paid Plan merchants before app has been published without any issue.
Is there something changed on Shopify side. or I am missing something this time ?
Any help will be appreciated.
every put/post request's endpoint should be on .myshopify version of domain.
I was passing primary domain. and it was working fine in dev stores as dev store. because in dev stores .myshopify version domain and primary domains are same.
I did not get this issue for so long. it was a silly mistake but stops app functionality.
Posting answer just because other people would not make such a blunder.
TLDR:
Does Google check the validity of an iOS app's bundle identifier when restricting the API key to a specific iOS app?
Or is it possible for anyone to mimic the bundle ID in order to launch an attack?
If the latter is false, why not include the API key in the iOS app?
UPDATE 1:
I'm guessing Google doesn't check for Team ID?
Apple Glossary
App ID A string that identifies one or more apps from a single team. An App ID consists of a bundle ID search string preceded by the Team ID, a 10-character string generated by Apple to uniquely identify a team.
I need some directions... (pun intended)
Say I'm building an iOS app that needs to consume the Google Directions API.
Google suggests to "proxy the web service via your server when you're using the API in a mobile app, to protect your API key".
In my project settings in Google Console (API Manager -> Credentials etc) I can restrict the API key to only iOS apps with my bundle identifier (com.example.MyApp).
Since I don't need a server, what's the worse that can happen if I include the key in the app?
The only thing I can think of right now is someone steals the API key and builds an app faking my bundle ID (or even fake the iOS host itself) and fires "unlimited requests" to bring down my service/make me pay a lot of money.
Is this possible?
And if it is, couldn't he do the same even if I hid the API key in the server? Just call my server instead of the API directly.
So what's the gain of having a server in that case?
And would the only solution to prevent this abuse be to require authentication and rate limit each user?
But couldn't then someone create "unlimited" random accounts?!
Do I use captcha?
By then the UX has become pretty awful, especially since authorisation is not even required for my app...
Is there a solution to this, or do I just choose the simplest solution (include the key in the app) and hope for the best?
In an application I made for Mac, when I ran the process for validating the archive, it came up with the error:
The archived application has entitlements that require Mac App Store distribution.
The invalid entitlements were:
com.apple.developer.aps-environment.
I looked at this link: Enabling Push Notifications and the entitlement, I think, is in relation to the push notifications.
I tried adding the
com.apple.developer.aps-environment
to my entitlements file as a boolean set to YES, but the error still came up.
How can I fix this?
It looks like you're maybe trying to sign the app for distribution outside the App Store, and Xcode is telling you it's not going to let you do that because you're using App Store only features.
I'm no expert in signing stuff, but to get my last app to submit I signed it with the "3rd Party Mac Developer Application:..." identity, not my "Developer ID:" identity. The latter is only for when you're distributing apps directly to customers from your own website.
It's not a boolean. It's a string that's either 'development' or 'production'. It's also only for apple store only.