I'm making a web-app where I need to make a request to the Google Places API, this is all good but I also need to make a request to the Places Photo API to display the images of the stuff I find using the places API. To do this, you need to make a request like this:
https://maps.googleapis.com/maps/api/place/photo?parameters
Where one of mandatory parameters is your API Key. I'm using Django and I'm passing a dictionary that has all the info I need to display. However, in the frontend you can see the API Key in the URL of the image. Is there any way I can avoid that?
Thank you so much!
You cannot avoid using an API key. All calls to the Maps APIs need to pass an API key to be able to work.
However, you can secure your API keys with restrictions.
You may follow these instructions to restrict your API key for Place Photos use.
Hope this answers your concern.
The Places API is a server API and can not be restricted by referrer. If you try then you get a 403 response to every request. You can't use it client side with an IP restriction, so the only restriction available is to limit it to the places API. This is not ideal since some of the places API calls are chargeable.
Related
I'm currently researching on how to use facebook API and collect its data thru streamsets and store it to S3. But facebook requires developer to create an app and verify it which somehow not applicable to what I'm doing right now. Is there other way to do this? like different process to access the Facebook API without creating an App?
While I'm happy to stand to be corrected, I do not believe this can be done.
It's not like you have to actually MAKE an app with your "app" - the app is simply an API key that has some associated data with it like titles and URLs and such. This also helps them track your usage and make sure you're following the rules, and block your key if you don't.
I'm using a third party API Key for my website. I have done some modification on that API and now I'm using it for my own site.
I want to secure that API data by adding a restriction on any user (Authenticated or Anonymous ).
I want to add a time limit on the data provided by the API. So, if anybody uses the same data after a certain period of time then it will show an error.
As well as I want some restrictions on users IP. So, a user can access my website a fixed number of time.
You might want to use the Django REST Framework JWT Authentication.
I implemented https://github.com/davesque/django-rest-framework-simplejwt
It works - the installation is rather easy - read the docs :)
if you are using DRF use the authentication class settings. If you are using normal Django views you can wrap the view with a login_required decorator
I am using Django v1.8 and django-rest-framework v3.2.2. I have a site with a public-facing API, which is also consumed by my own site (on the same domain) as the Ajax back-end to a JavaScript application, using GET only.
I want public users of this API to be asked for a key parameter in the URL, which I will issue manually. But I also want my JavaScript application to be able to use the API, in a way that means that other users can't just steal the key and use it.
I have set up my custom key authentication as described here, and it's working well.
However, I'm unclear on how the JavaScript application should use the API. Obviously I could just pass a dedicated key parameter in the URL, but then won't other users trivially be able to spot the key and use it?
I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.
Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.
Very grateful for any advice.
I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.
SessionAuthentication is the Django's one. It uses session to authenticate a user. It's mostly transparent for ajax request as the browser will send the cookie automatically. However, if you're posting data, you need to make sure you send the CSRF token in both headers and post body.
Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.
As said above, it uses cookies for that. They are part of the headers and thus usually not seen on the urls.
To make sure no-one else can steal user's session you need to run the site through https.
This isn't much different from regular websites.
I'm trying to design a good RESTful API for my web app and am looking at Facebook's Graph API as an example.
My plan is to dogfood the API in the web app. For example, if the user changes their name, gender, etc., on the settings page, it would just PUT to the /user endpoint of my web app with the new data.
However, I noticed that Facebook's Graph API does not allow modifications to the User resource. Are there some resources that you want to make sure are not modifiable from the public API?
I'm basically just wondering if there are any risks with my method, and if not, why other websites don't do the same thing.
Yes, there are resources that you want to prevent API users from modifying, but they are application dependent. For instance, an API I'm working on right now lets callers read but not update audit data, read user records (but only modify parts of their own), and create and update home addresses.
You will want to make sure that you have rigorous security in place to prevent users from modifying certain parts of a User (such as username or password), especially if user A is calling PUT /users/B.
I know it is possible to get the locale of the user with getSignedRequest, and it is possible to get the locale of the user with https://graph.facebook.com/me?fields=locale once they have authorised the app. But what is the equivalent graph api url that I can use before they have authorised the app? All my code is with the graph api so I really dont want to have to switch now to using the whole facebook->getSignedRequest() stuff. I can't find it anywhere but seems silly this functionality has not been provided in graph api?
You have to pick between using the signed_request (which is sent in a POST request to all apps on Facebook) or authorizing the user.
If you don't do one of these, then you won't know what the Users ID is, so you will never be able to identify their locale.
The signed_request just requires you to be able to capture request data and then perform the parsing logic outlined in the doc linked to above - it doesn't require the use of any SDK or API, just the ability to read requests (most languages will be able to do this).