Google reCAPTCHA: how to generate captcha token on the server side - google-cloud-platform

I've added the Google reCAPTCHA enterprise to my auth endpoints, and now I want to cover them by integration tests. To do so, I need to generate a valid token and pass it to requests. But I can't find in the docs how to do that, they only offer to create a separate reCAPTCHA key for testing environment which is not suitable for me, because I want to test production too.

I am not sure if I understood you, but I utilized test keys for testing Recaptcha using Cypress , here you can find them and more information about what you want

Copied from some source
Hello,
If you’re getting new reCaptcha keys each time you create a site then I’m afraid to say you’re doing so improperly for this scenario. Hopefully, the below instructions can help:
Log into your Google Admin Console.
Browse to the API key that you have set for your website. If you have more than 1 reCaptcha in your Admin Console you may need to click the dropdown next to the “You have ‘x’ site(s)”.
Once you’ve found your specific reCaptcha API, you’ll want to click the Settings gear icon at the top right. This will bring you to your API settings where you can grab your reCaptcha keys and add additional domains to the allow-list.
On the Settings screen you should see a list of domains in an allow-list with an input box to enter additional domains. There should be a plus sign next to this input box. Enter your domain and click the plus sign.
Finally, scroll to the bottom of the page and click the blue “Save” button. This will tell Google to apply your changes and may take up to 5 minutes to be put into place.
This will tell Google to allow the same reCaptcha keys for multiple domains specified in this allow-list on the Settings page. For further help, we’ve created an Imgur Album of a few screenshots that may help you along your way:
https://imgur.com/a/aT8J6Uu
Hopefully, with the above instructions, you’ll be able to add in your additional domains to the allow list. Should you need further assistance, we suggest reaching out to Google G Suite Admin Support.
Hope it will solve your issue
If it still didn't work in your scenario you can use the dynamic way of applying keys like saving keys into the Environment variable and based on the current environment it will be changed dynamically

Related

Google Workspace Addon Google Analytics Tracking

I read the google help for tracking an addon (https://developers.google.com/gsuite/marketplace/use-analytics) and I am not sure, what to do on the google analytics side of the idea.
I added a stream and entered the url of the application url, which I can find in the sore entry settings of the google cloud plattform.
Then I entered the Stream ID in the configuration of my addon's store entry configuration page, where it asks for google Analytics-ID (I entered the G- ... number).
But I don't see any data in GA.
What did I get wrong in the first place? :)
Maybe I am on the wrong path, so I want to share my goal as well: I try to track three things of my google calendar add-on:
how often the add-on in the Marketplace is viewed
how often the add-on actually was installed
what the user did in the add-on, while using it.
thanks for your input and questions to lead me to the solution :)
Try to use a Universal Analytics Property, the one with ID like UA-XXXXX-Y. When you create a new property activate the advanced options and choose that property type.

Issue when trying to register an app for consent screen in google oauth

I am trying to register my app for Oauth consent screen, so that I can create a OAuth client ID. I keep getting this validation error at end of the form, even though I have submitted everything correctly.
An error occurred while saving your app
And this error does not state which input in the form is invalid. Also in the network tab of development tools window, everytime I submit the request, I can see a POST request being initiated and it fails with following error.
{"error":{"code":3,"message":"The request failed because one of the field of the resource is invalid.","details":[{"#type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"client_auth_config","subject":"?error_code=9&error_field_name=UpdateBrandWithMaskRequest.brand_id&error_field_value=0"}]}]}}.
Any suggestions on how to fix this is highly appreciated. I have contacted the google support about this issue as well, but as of now they're saying everything works on their end and clear cache and cookies but it doesn't work. I have attached here a capture of consent config wizard I'm using as well.
Put the Project ID in App Name
Try adding your support email to Firebase console. Go to firebase console->settings->General->Support Email->Add Email. Now while creating oAuth consent screen add same email id developer contact information as well as support email. It worked for me.
To expand on the top answer, there are numerous underlying reasons why this step of the app registration would fail. In the case where the application name is not valid (fails any of the checks that Google Cloud Platform enforces), then setting the application name to the project ID is guaranteed to fix the problem, as the project ID will always happen to be a valid application name.
It may be worth digging into the underlying validation error, which can be achieved by inspecting the network request that is sent upon submitting the form. In the "Network" tab of the Developer Tools, select the POST request that is captured after clicking the "SAVE AND CONTINUE" button. The "Response" tab (shown below for my case) should display an error object with a more descriptive message.
In my case, it seems that the application name was deemed abusive:
The request has been classified as abusive and was not allowed to proceed.
which I suspect is because it contains the word "Google".
What #Kalind said helped me to resolve the problem.
So login to firebase console, chose the project you are trying to create an OAuth Consent too. And then click settings-> General-> Support Email-> Add Email from dropdown.
Now when I go back to google cloud console under the Oauth consent screen, I can see that I have one registered to that project.
I had the same problem, indeed your App name must be identical to your Project ID that you chose when creating the project
I got the exact same error, probably an issue on their end :/
Thanks for reporting this everyone. I've also had the same problem for different apps and #Kalind suggestion fixes the problem. On Firebase project's settings there's a new field now called "Support email" where you can select your support email address. This will fix your issue like #Kalind and #Kasper said. I'm just adding a screenshot to make it more clear for those with the same problem.
Thanks!
For me there was an email in there already (owner of account email).
I had to invite another email > accept invite > change email > save > then change back > then I could proceed with the OAuth Consent Screen.
To change the support email on the Firebase Console you go to:
https://console.firebase.google.com/ > select Cog > Project Settings > General tab > Support Email
I reached this page is because of testing Google Login.
I faced this issue creating "OAuth consent screen".
But I didn't need this to create.
Just go to "Domain verification" page and "Add Domain".
There you may need to add 'txt record' in DNS Setting to prove you owned the domain.
After adding domain, go to "Credentials" page.
It is ready to choose the "Application type" like google guide
!!! pls enjoy !!!
I used the app Id as my App Name in the OAuth consent screen setup page.
If you are trying to use group email from gsuite in App consent/Firebase support, you must be the group owner, and do not need that group email address on any IAM role.
I believe the name of the application requesting access simply needs to be different from the name of the Google project.
This Error was come due to the project name is the same as the app name. So your app name and project name must be differnet
to expand on the helpful post of #zr0gravity7
I checked the 'response' in the developer con{"error":
{"code":3,"message":"com.google.apps.framework.request.BadRequestException:
At least one field must be updated."}}
I simply changed one field, and the save now succeeded.
(This is a very disappointing design of the form error checking)
The app name must be unique across Google. Modify the app name a bit.

Forcing password on login with IAP and restrict domain

I've set up a Django/python web application running on Google Cloud Platform's Kubernetes Engine pods, and secured by GCP's Identity-Aware Proxy.
It all works great, but there are two things I'm not sure how to accomplish.
1) How can I restrict the users to a specific domain, just like the hd=my_domain.com URL parameter does on OAuth2 logging in? That makes the sign-in page only show emails with that domain in the list to click on.
2) How can I enforce that the user logs in with a password, instead of just simply clicking on the account? This is just like when you go to admin.google.com, or security.google.com and even though you're logged in, it forces a password. I know how to go to /gcp/clear_login_cookie to enforce a new login session when I want to log them out, but not sure how to enforce a password is entered. This I believe is called the "user presence test."
Any help is greatly appreciated, I've poured through documentation and have searched various ways on Stack Overflow to no avail.
Both of these items are on our roadmap, though I can't offer a specific timeline.
I don't see an entry in Issue Tracker for either of these. I'll try to remember to add that next week (at which point I'll add the links here), or you can do it yourself: https://issuetracker.google.com/issues/new?component=190831&template=1162609
Thanks for the suggestion, and sorry I don't have a better answer for you!
--Matthew, Cloud IAP engineering

Finding the owner of an app with the API key

Someone built an app for the organization I work for but no one can remember who it was and we need to make changes to the app. The only information we have is the API key. We've tried navigating to the apps page by adding the key at the of http://www.facebook.com/apps/application.php?id=XXXX but we're redirected back to our website. Is there a way we could figure out who administers the app? Maybe using Graph API?
I'm almost positive you can not use that. I would navigate to the app itself, and on the bottom of the page inside on the right side, for "ctrl+f" for find, and click "Report/Contact this App" and then send a message to the developer.

Can I get a list of Pages that have installed my Tab app?

I've seen a similar question asked a few times, but usually it is from people trying to find out which Page is currently accessing their Tab app. (Which you can do by inspecting the signed_request.)
I'm trying to build a UI that will show the user all the Pages that he/she is an Admin of, and then display which of those Pages have my Tab app already installed. I'd like to make a FB graph API call to either a) get the list of Pages that have my Tab app installed or b) get a yes/no answer for whether a particular Page has it installed. Is this possible?
As a fallback, I will make a table in my database to track Page IDs whenever a Page views my Tab (using the aforementioned signed_request) but this won't be as good, because it won't know when someone has uninstalled the Tab from a Page.
To be complete (for future readers): this does not require manage_pages. You can also use the FB app's token. Also see: Check if page tab app is still installed
In the general case, 'no', without keeping track on your side via the signed_request but if you're already obtaining manage_pages access from the user it's pretty trivial to check if a particular app (i.e, yours) is installed on the page
See the page documentation for details, relevant part:
You can test if a specific app is installed on a page profile tab by issuing an
HTTP GET to PAGE_ID/tabs/APP_ID. If the app is installed, this will return the
following fields:
(you'll need the page access token from the user's /accounts connection for that call