I want to create an app that autocompletes a destination text box. I read this documentation about it:
Adding Place Autocomplete to your Android App
However it says that you can't use your API key internally and that you must instead access an external web service to make the autocomplete submission and return the results to your app. I then came across this:
Place Autocomplete in response to an HTTP request
This states that you can make a request with your API key as part of the URL for the HTTP request. Can you do this internally from your app or would you have to submit that HTTP request from an external web service as well? If you can just make this HTTP request from within the app, how would I go about doing this?
Try this solution:
1) Get an application's API key from the Google console.
Create Api Key
2) Use this module from GitHub to make Google Place Auto Complete. It's easy to integrate: Android GooglePlaceAutoComplete
Related
Twitter login isn't working anymore on my android project and I have figured out that it's because I have restricted my API keys in Google cloud. By default, twitter login makes use of an https request https://<project_name>.firebaseapp.com/__/auth/handler....apiKey=...&providerId=twitter.com&sessionId etc where apiKey is the API key in my google-services.json. Given that I have restricted the API Key to my Android app package name, https requests for twitter login return an error. If I manually edit the url and put the Browser API key, it works fine but this is obviously not a practical solution for production.
Is there a way to tell AuthUI.IdpConfig.TwitterBuilder() to use a specific API Key so that I can pass the default Browser API key.
I have tried to manually edit google-services.json to add the Browser API Key and this fixes the Twitter Log in issue and breaks other calls to the server.
One work around is to have an extra key that your end users can have who you trust and check this via query params.
Const BrowserAPIKey = 'realKeyhere';
Create a unique key and save it as a constant in the function you call Twitter login.
Under the key variable call any URL and append a query param like so e.g. firebaseauth.com/twitter?key=123 and then pluck out the key by calling req.body.key so if you requested the API with a param called key. I.e. save this in another const e.g. const enteredKey = req.body.key. We expect 123 to be the resolved key if things are to work
Check if trusted clients got key right and release Browser API Key based on result:
If enteredKey = 123
// Call Twitter login api with real browser key
https://<project_name>.firebaseapp.com/__/auth/handler....apiKey=BrowserAPIKey...&providerId=twitter.com&sessionId
Assumptions:
This API accepts the browser key via a param called browserkey and spelt exactly that way
The BrowserAPIKey when in step 3 above contains the actual key that clients need to login with
I got in touch with Firebase support and this is expected behaviour if you restrict your API. In short, the API restriction for Android application is searching for package name and SHA-1 headers, the Twitter sign-in flow is based on a browser, so the headers are not sent, also there is no way to pass the headers through the browser.
The best approach would be using API restrictions (which APIs can my API be used for) rather than platform restrictions (which platforms can use this API key).
I have a Spreadsheet with some Apps Script functions bound to it.
I also have an Android client using Google Sheets API v4 to interact with that spreadsheet.
Is there a way for the Android client to call/run some function in the Apps Script code?
The reason I need to code to be run on the Apps Script side, and not simply on the Android client, is because I'm sending some email when something happens to the doc, and I would like the email to be sent from the owner account of the spreadsheet, and not from the Android user authenticated via the API.
I know I can trigger functions implicitly like by adding rows to a doc, but is there a way to directly run a specific function?
Yes. You can make GET and POST requests to Google apps-scripts. from anywhere that can make REST type calls including clients. If you need authentication there is also the apps-script client libraries. I wrote a short script for emailing from a request from one apps-script to another here. But, it would work if you called the emailing script from your client also.
Deploy your Google Apps Script as Web Apps > reference, by this way you can run function Get(e) or Post(e) and invoke other functions inside one of them with conditions....
You might have gotten the answer to your question. Just in case you have not, below are some points that may help with your development:
1) Create the server side script (i.e., Google Apps Script) function like usual:
function myFunction(inputVar) {
// do something
return returnVar;
}
2) Create a doGet(e) or doPost(e) function like below - can be in the same .gs file with the function in 1) :
function doGet(e) {
var returnVar = "";
if (e.parameter.par1 != null) {
var inputVar = e.parameter.par1;
returnVar = myFunction(inputVar);
}
return HtmlService.createHtmlOutput(returnVar);
}
3) Publish and deploy your project as webapp. Note the deployed URL.
4) From your Android client do HTTP call with the URL as: your_webapp_url?par1="input value"
I have been doing a lot of research recently on securing my app engine. Currently, I've been reading through the question below and the links in that question:
How do I restrict Google App Engine Endpoints API access to only my Android applications?
However, it doesn't answer my problem. My question is similar to the question above, restricting access to my endpoint API to only my app. The guy seemed to have got it working when he inputs a correct email into the credentials.
My question is if I can achieve the same results without having to input any credentials. I want it so that only my app can use my endpoint API so to prevent other apps from abusing it and using up my quota. I already got a client id for my android application, and have placed it within my #API annotation. To test if it worked, I made a random value for the client id in the #API notation of another api class. However, my app was still able to use methods from both class. Any help?
-Edit-
From reading from the docs and researching further, the endpoint way of authorizing apps is by authenticating the user and for my API to check if user is null. My question is that in the process of authenticating the user, is Google somehow able to read my app's SHA1 fingerprint and authorize it to its list of client ids? If so, how can I replicate this process in my endpoint so that I check the SHA1 fingerprint of the app making the request and compare it to a set value? I don't understand the mechanics behind the endpoints very well, so correct me if I am understanding this wrong.
If the android app has access, then the user has access. A motivated party has many options for inspecting your protocol, including putting the device behind transparent proxy or simply running the app through a debugger. I do suggest running your app through ProGuard before publishing, as this will make the process [a bit] more difficult.
Ultimately, you'll need to make your appengine API robust against untrusted parties. This is simply the state of the web.
How you can protect your endpoint API is described here: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
The secret is that you request a token from Google Play using the following scope: audience:server:client_id:9414861317621.apps.googleusercontent.com where 9414861317621.apps.googleusercontent.com is your ClientId.
Google Play will look up the id at your endpoints app and return a Google-signed JSON Web Token if it finds the id. Then you pass that id in with your request. Above article says you should pass it in with the body. I would possibly rather add another parameter for that because otherwise you can't pass your own entities anymore. Anyway, your server backend receives the token, and you ask Google as described if it is authentic, before you process the API request.
If you pass in the token using an extra parameter, you can catch it on the server side by adding HttpServletRequest to your endpoint signature and then using request.getHeader("Yourname") to read it out. Make sure you never add the parameter as a URL parameter as it may be logged somewhere.
public void endpointmethod(
// ... your own parameters here
final HttpServletRequest request
) throws ServiceException, OAuthRequestException {
request.getHeader("YourHeaderName") // read your header here, authenticate it with Google and raise OAuthRequestException if it can't be validated
On the Android side you can pass in your token when you build the endpoint api, like this, so you don't have to do it with each and every request:
Yourapiname.Builder builder = new Yourapiname.Builder(AndroidHttp.newCompatibleTransport(), getJsonFactory(), new HttpRequestInitializer() {
public void initialize(HttpRequest httpRequest) {
httpRequest.setHeader(...);
}})
Hope this helps you make your endpoints API secure. It should.
I am a little confused by these APIs. I am trying to integrate Google+ with my Android app and I am struggling a little. I have been successful at logging in a user using OAuth2, created a Verifier, obtained an accessToken and made a request to Google+ API.
Here is my line of code requesting to see the user information:
OAuthRequest request = new OAuthRequest(Verb.GET, "https://www.googleapis.com/plus/v1/people/me");
This successfully returns a jSON object containing my information/public.
Whenever I change the endpoint to this:
"https://www.googleapis.com/plusDomains/v1/circles/p4643b3a289c42c44"
attempting to use the PlusDomains, I get a forbidden message.
What I really want to do is manage circles for a user (simply add a page to their "Following" circle. That is all I need.
What am I doing wrong? Am I trying to use the wrong endpoint? Does Google+ API allow me to do POST requests?
Every piece of information is helpful.
Thanks in advance!
Google+API and Google+Domains API are different APIs (activating/allowing one does not activate/allow the other).
The Domains API can be considered as a more powerfull (more functionnalities) than Google+API.
See comparison of the two API here on the official doc.
Link here
I just need the correct format of the request - https://www.googleapis.com/customsearch/v1?
key=INSERT-YOUR-KEY&cx=013036536707430787589:_pqjad5hr1a&q=flowers&alt=json.
My app will simply make a request with the search phrase and get a callback in JSON. I already connect Google Custom Search to my account, fill in the payment details and get all the keys.
I use the key for Android apps (with certificates), but get the response "Access Not Configured" after call the request in the browser.
How to create a query string to request the API? How can I get the parameter cx?
This is a bug of Google. The problem was solved only completely removing default project and create a new one.