I am developing an app with the use of the youtube data api. Everything worked well for more than two months until today. I have got a quota limit exceeded error today and after I opened the google cloud console, I noticed that I somehow got over 70 million requests from the chrome app oauth client which is definitely unnormal. Looks like someone is abusing my extension and sending requests.
I do use the chrome.identity.getAuthToken and request https://www.googleapis.com/youtube/v3/channels?part=id,snippet&mine=true&access_token=${token} when a token is updated so that I could display the user's authorized account name (and other details) in the extension control panel.
I assume that someone programmatically revokes the access and reloads the extension thousands times a minute so that the extension keeps sending the requests to get the user's channel info.
How do I have to handle such situations correctly? Is there a way to find that user an ban him from using the extension?
Related
I have an application which has the ability to link to a Gmail account via OAuth for a client and send email from the system. I have created the OAuth authorization with Google almost 3 months ago. I received 2 emails from them over that time 1 was resolved within an hour the other was requesting a video which was already included in the original request.
Is google always this slow? I have called cloud support and did not receive any help. Anyone else had to wait months to get OAuth authorization from google?
Facebook and Microsoft were within a day.
Tried calling them cloud support (no help). Send them feedback on the OAuth console page. No reply. Replied to the email they sent a request for more information on but that was over 6 weeks ago no reply. I am trying to get access to send an email. This has to be one of the most common use cases with Gmail. Does not make sense that it is taking so long.
N/A. It is a web application using Gmail oauth2
The first few communications with google regarding verification went relatively quickly with 1-5 day response times. These were the "obvious error" ones. Once we resolved those, we received this on Mar 29:
Thank you for submitting an OAuth App Verification request. We
appreciate your patience during this review period.
The app verification process can take several weeks to complete.
Google will not take action against apps for non-compliance with the
new policy during the verification process if you are acting in good
faith to come into compliance. User access to your app for existing
approved scopes will not be impacted. All apps that have applied are
expected to fully complete the app verification process by May 15,
2019, with the remainder of 2019 to complete the security assessment.
So that is a suggested 6 week timeframe.
Have you received a similar email?
Also note: If your app is not currently available for public use ( or in development ), you can request to skip the verification process.
https://support.google.com/cloud/answer/9110914#skip
This has to be one of the most common use cases with Gmail. Does not
make sense that it is taking so long.
It might make sense in the context of the 2019 Restricted Scope security requirements and the level of chaos that is creating for developers, and therefor their support/verification team.
Based on FAQs, if your project contains multiple OAuth clients, Google needs videos demonstrating usage of restricted scopes for each of those clients. Failure to do so might be resulting in multiple communications. Removing unused clients from your project may help.
Email oauth-feedback#google.com and ask them for an update on your verification status.
I have created, on my computer, a Chrome extension which calls the YouTube API and shows extra information about video search results. In the extension I use an API token provided.
The extension works, but I am wondering how to prevent future users of the extension to retrieve my API token by decompiling the extension (which is only JavaScript and config files) and use this token outside of the scope the extension ? If it happened the API usage quota could be exhausted quite quickly and then the extension would be unusable for the other users of the extension.
So here is what i am trying to do :
I built a bot with api.ai for my business that is hosted on my webpage and my Facebook page right now. Bot works well.
I want to push it to the next step by allowing my customers to make querys on my calendar, ask to book a specific time, see if available, if not offer other time similar, then make a booking.
I have been reading this thread and the great answer attached to it but i think my case is a bit different.
I was wondering if the bot could always have a token so every guests won't have to Auth to query the calendar ?
Obviously i am new to this, i have been reading the guide of google calendar api and api.ai but i don't really see how to do that yet. I guess there is a way to store a token somewhere and then just trigger the query with some specific intents but not to sure how.
I have also done the node.js quickstart guide of the G-calendar api, and it works fine if that helps.
Thanks for your help !
You will probably want to use a Service Account that is permitted to the calendar in question. Service Accounts are similar to regular accounts, but they are expected to do server-to-server communication only, so the method to create an auth token is a little different to keep it secure.
See https://developers.google.com/identity/protocols/OAuth2ServiceAccount for more information about using Service Accounts.
In general, you'll be using a shared secret to create and sign a JSON Web Token (JWT) you send to Google's servers. You'll get back an access token which you'll then use to call the Calendar API. The access token expires in about an hour, at which point you'll need to repeat the process.
There are libraries available to do much of this for you. For example, if you're using the node.js library https://github.com/google/google-api-nodejs-client, then it will take care of this for you (although you need to modify the key file - see the documentation for details).
I'm using a javascript code (instafeed.js) to connect to the Instagram API and get the last photos of my Instagram account. The problem is that the thing works for a few days and then the token I got from instagram "expires" or something and it stops working. It throws me Uncaught Error: Error from Instagram: The access_token provided is invalid.
I believe (I might be wrong) it's because I never sent my "app" for review and they are giving me a "sandbox mode" token. Or should I be able to use their API for this simple thing without approval?
Should I send my website for review or is this not an intended use of their API? And if it's not, what should I do?
You should be able to use API in sandbox mode to access your latest 20 posts. You dont need to get reviewed.
Not sure about access_token expiring, in live mode it never expires, so I expect sandbox to be same
This appears to have been last addressed a year ago here:
Accessing Spotify Metadata API from within a Spotify app?
It seems that the cocoalibspotify API has been worked on a lot since then, but can someone confirm that we still have to fall back to using the Spotify web API in iOS for users without Spotify accounts to be able to search and view metadata for albums and artists?
Everything appears to work when a user is logged via the API (using [SPSession attemptLoginWithUserName]), but when doing for example, [SPAsyncLoading waitUntilLoaded] on an SPTrack, it times out unless you're logged in.
No, for CocoaLibSpotify to work at all, you need to have a logged-in user. The Web API is the only way to access metadata without this.