Comments (10)
I guess the only option I have is to restrict my own Google API key to the domains of websites that I manage or control and to offer a public version of the app that requires as a parameter a different Google API key that is the responsibility of the using organisation (and they would be advised to restrict the key to domains they manage or control). Of course the API keys will still be exposed, but if they're restricted to trusted domains they should be safe from abuse - right?
Yes and no. Forcing a trusted domain will stop folks from stealing your key and also using it client side. This is of course better than nothing. It can't stop folks from using it server side and spoofing the referer header.
I'm not saying that the client side solution using the key should be taken off the table, just that I think there needs to be a big disclaimer in bold faced print somewhere so people understand the implications of doing it this way. I'm a big fan Tabletop and have been using it for ~10 years now. I plan on using this api key client side for private applications and in build steps where exposing the key has no real consequence. For public facing apps I'm not sure what I'll be doing yet but likely some form of server side code that hides the key and caches the response to an S3 bucket or something.
jwhazel the code I posted in comment #189 returns an object, but result.values is an array of arrays.
All I'm saying is that you don't need Papa Parse or jQuery or any other library for this. It's just an array of arrays in the response. So if you pull the raw data like this let rawData = await fetch(endpoint).then((res) => res.json());
, then a couple lines of vanilla JS will give you an array of objects exactly like how Tabletop did it:
//Use the first row as the header row
let headers = rawData.values.shift();
//Now loop through each subsequent row and bind each value to the corresponding header
let data = rawData.values.map((row) => {
return row.map((val, i) => {
return { [headers[i]]: val };
});
});
If you want something besides a simple key:value pair with the key being the header value, you can modify that loop however you want. But the point is it's so much faster/simpler and doesn't require any external libraries.
from tabletop.
Any idea about when it will become obsolete ?
from tabletop.
I believe they'll start turning off the V3 API in May, and then by September it all shuts down? Not sure where I read it, but that's what I remember offhand.
The issue is that the new version of their API requires you to use OAuth to log in to do pretty much anything, so we're kinda stuck with something that works from the "publish as CSV" angle. I haven't played around with it too much other than getting the Papa Parse example up and running, so if anyone has other ideas or approaches I'm all ears and happy to update the README and examples.
from tabletop.
There are a lot of sheet ---> JSON projects around, are they all going to break? That's why I'm wondering exactly what Google is doing that is causing breakage.
from tabletop.
Here are the details: https://cloud.google.com/blog/products/g-suite/migrate-your-apps-use-latest-sheets-api
from tabletop.
A note that Papa Parse is not limited to one sheet, either using the current README solution, or the solution that I offered at #189 (comment) that fixes the CORS issue.
In the latter solution you specify the worksheet name, as before. In the former solution (which seemed to break early this week--for at least two of us) you add gid=
to the URL and add the appropriate sheet id. Also, in the provided solution, you use the Publish ID, and in the one I provided in issue #189 you use the regular worksheet ID. I'm now accessing four sheets from one worksheet with speeds I haven't seen before. And updates seem to happen without much caching delay, as well.
I don't know if the solution I offer is going to cost money. The Google Sheet API v4 does impose limits. (Time will tell, I guess. I couldn't actually figure out how to calculate what I'll be charged. My guess is: not much.)
from tabletop.
I think that it's important to note that while @mroswell has a nice and elegant solution in #189 (comment) (I'm not even sure it requires Papa Parse since it returns a simple well-formed JSON object), this is probably not a good idea for public facing projects. Or at least it's something that people should consider carefully before choosing to implement.
The purpose of an API key is that it is a key that you hold and keep protected, just like the key to your house or your car. Ideally it should be hidden behind a backend that proxies requests between your client and whatever service you're ingesting so that you have some level of control over who is using it. If you put it in your client facing code, anyone can see it and use it for their own purposes. I've already verified this by searching for repos that use this method posted above, pulling the key, and using it to download my own spreadsheets.
If you do decide to proceed, know that Google does not allow you to cap billing. This is by design. The best you can do is set up alerts when you reach a threshold. Be prepared to react quickly if you get a billing notification. Also, don't commit code that has the API key in it. And if you can, set a referer on any keys you make. None of those things can stop bad people from stealing your keys, but they might slow down the damage a little when it does happen.
from tabletop.
Oh heck! This API key security issue comes very close to being a killer for my project.
I recently built this web app that displays maps (using MapBox) with a pin for displaying data from each row of a GSheet - a kind of replacement for Fusion Tables. Then a couple of weeks later it broke when Google changed the CORS policy for accessing their API.
So I was delighted to see @mroswell nice solution. I have re-engineered my web app to use that and it's working fine again.
But my aim is to offer the app as a tool for all to use and of course as a web app it is simply a JS script with everything including the API key exposed.
I guess the only option I have is to restrict my own Google API key to the domains of websites that I manage or control and to offer a public version of the app that requires as a parameter a different Google API key that is the responsibility of the using organisation (and they would be advised to restrict the key to domains they manage or control). Of course the API keys will still be exposed, but if they're restricted to trusted domains they should be safe from abuse - right?
from tabletop.
@jwhazel the code I posted in comment #189 returns an object, but result.values is an array of arrays.
from tabletop.
The migration deadline was pushed back to January 26, 2021.
https://cloud.google.com/blog/products/g-suite/migrate-your-apps-use-latest-sheets-api
from tabletop.
Related Issues (20)
- How do I access the data in a specific sheet? HOT 1
- Spreadsheet with 2 sheets seems to randomly display one or the other HOT 1
- Is this still maintained? HOT 1
- Is there any way to make sub properties of the JSON objects? HOT 1
- Objects are columns, not rows HOT 2
- Unable to use postProcess with beforeReady
- Use with Webpack and other asset bundlers creates a bloated package HOT 3
- TypeError: undefined is not a function (near '...}).then(function (data, tab...') HOT 1
- compatibility with bootstrap.js/popper?
- stops at empty rows HOT 1
- Trouble accessing specific sheet data HOT 2
- error while putting sheet url HOT 2
- Cannot read property 'length' of undefined or CORS HOT 2
- Google sheets data export only for paid version? HOT 2
- Question: is there a way to save to a spreadsheet using tabletop? HOT 1
- The new PapaParse solution yields "No 'Access-Control-Allow-Origin' header" error HOT 17
- ¡Thanks Tabletop!
- Is tabletop still dying? HOT 18
- 404 on the Google sheet feeds HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tabletop.