0

On the current app I'm working on right now we use two kinds of google maps APIs: places and timezone. Following on the documentation, I found that for timezone API we can't use the HTTP referrer restriction type (but it works for places API). With HTTP referrer for timezone API, I'm getting the error API keys with referer restrictions cannot be used with this API. which makes sense as for timezone API we need to restrict by IP addresses if follow to documentation.

But here the issue is appearing... When I adding the app server IP address to the list of allowed IPs for timezone API it's still not working, and I'm getting an error like This IP, site or mobile application is not authorized to use this API key. Request received from IP address xx.xxx.xxx.xx, with referer: {my app domain}, where xx.xxx.xxx.xx is my IP not a server IP.

Probably it happens because of the call to the timezone API which I made by javascript 

var url = "https://maps.googleapis.com/maps/api/timezone/json?key={API_KEY}?location={Ylocation},{Xlocation}&timestamp=" + d + "&sensor=false";
                                var ajaxObj = $.ajax({url:url, async:true, success:function(responseJson) {

Is that mean I need to make ajax call to the server (backend) and from there already make timezone API call? If so, maybe there is another way to not refactor current logic?

Bogdan Dubyk
  • 4,756
  • 7
  • 30
  • 67

1 Answers1

1

You are correct to say that Time Zone API will only work if the request is signed with an API key that is restricted with IP restrictions as per the table here. (Though you could also use an unrestricted API key, but that would make the API key vulnerable from unauthorized use.)

You mentioned that using an API key with HTTP referrers restriction works for your Places API implementation. Note that the Places API has four types:

  1. Places API (server side)
  2. Places Library (client side)
  3. Places SDK for Android (for Android apps)
  4. Places SDK for iOS (for iOS apps)

If you are using the Places Library, then you can use an API key signed with HTTP referrers restriction as the library was being loaded on the client side.

On the other hand, if the request happens on the server side using the Places API web service, then, like in Time Zone API, you'll also need to use an API key with IP address restrictions.

Web service calls such as Time Zone and Places API can be used with just about any programming language capable of sending URLs and receiving JSON or XML as a response. But, they don't send HTTP Referrer data to the API.

If the API key used in the request has HTTP Referrer restrictions set, the request will be rejected, because the missing referrers will not match any of the allowed referrers in the list.

As per this doc:

IP restrictions might be impractical, such as in mobile applications and cloud environments that rely on dynamic IP addresses. When using Maps Web Service APIs in these scenarios, secure your apps using one or more of the following techniques:

If you still need further help with this, I would suggest that you file a support case with us on the GCP Console to open a personalized communication channel as this question does not appear to be about programming.

I hope this helps!

annkylah
  • 457
  • 4
  • 11