Login/Register
Firebase Cloud Functions: Requests from referer <empty> are blocked. - PERMISSION_DENIED
Asked Answered
Solved node.jsfirebasefirebase-dynamic-linksrequest-promise
N

3

7

I am not sure why the following code is throwing google api key permission denied. I have the api or service enabled both in firebase console and google console.

export async function createJobDynamicLink(job){
    if(job.jobStatus !== 'approved' ||  (job.dynamicLink).length > 2){
        console.log('Dynamic link already exist!');
        return false;
    }

    console.log(dynamic_links);
    console.log(dynamic_links_key);
    // Firebase web api key logs just fine
    const options = {
        method: 'POST',
        uri: `https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=${dynamic_links_key}`,
        body: {
            "longDynamicLink": makeDynamicLongLink(job)
        },
        json: true
    };

    return await requestpromise(options)
        .then(function (parsedBody) {
            console.log(parsedBody);
            return parsedBody.shortLink;
        })
        .then((shortLink) => {
            //post.shareUrl = shortLink;
            console.log('short link: ' + shortLink);
            //return event.data.ref.set(post);
            return shortLink;
        })
}
export async function makeDynamicLongLink(job) {
    return buildUrl(`${dynamic_links}`, {
        queryParams: {
            link: `https://app.com/jobs/${slugify(job.jobTitle)}-${job.id}`,
            apn: "com.app.appe",
            ibi: "com.app.app",
            dfl: "https://app.com",
            st: job.jobTitle,
        }
    });
}

Is something wrong with the way I am doing the request using request-promise?

StatusCodeError: 403 - {
  "error": {
    "code": 403,
    "message": "Requests from referer <empty> are blocked.",
    "status": "PERMISSION_DENIED",
    "details": [{
      "@type": "type.googleapis.com/google.rpc.Help",
      "links": [{
        "description":"Google developer console API key",
        "url": "https://console.developers.google.com/project/904573jjwj/apiui/credential"
      }]
    }]
  }
}
Newby answered 29/12, 2019 at 14:31 Comment(0)
L
5

Because you are invoking your function from a node.js environment, the HTTP Header Referer isn't being set. When you create requests through a browser, the browser will automatically fill this field for you.

You can get a suitable referrer value using:

"https://" + process.env.GCLOUD_PROJECT + ".cloudfunctions.net/createJobDynamicLink"
// becomes "https://your-project-id.cloudfunctions.net/createJobDynamicLink"

This generated URL isn't callable, because it doesn't start with a region, but it means you now have a URL that can be used to identify that the call is coming from a Cloud Function.

To use it, add it to your request-promise options object.

const options = {
        method: 'POST',
        uri: `https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=${dynamic_links_key}`,
        body: {
            "longDynamicLink": makeDynamicLongLink(job)
        },
        headers: {
            "Referer": "https://" + process.env.GCLOUD_PROJECT + ".cloudfunctions.net/createJobDynamicLink"
        },
        json: true
    };

Note: I'd use request-promise-native instead of request-promise - same API but skips loading Bluebird.

Lareine answered 29/12, 2019 at 15:43 Comment(3)
The referer had to be the accepted domains in the google console.Newby
I still get the same error after adding headers/referer field. Also I whitelisted the url. Still doesn't work. Same errorDryad
@Dryad can you try regenerating the API key or creating a new API key from scratch - but whitelist the URL right away with the new key? I ran into the same problem working for another client. I don't have access to the account to test but wondering if that will solve this problem. We temporarily solved using Zack Phan's idea below to set the restriction to none.Swifter
P
9

Go to the Google API Credentials https://console.developers.google.com/apis/credentials and see if there is any restriction on your API Key you're using. If it is restricted by HTTP referrers, then add your website domain to it and add the Referrer header like the above answer. Although in your use case, None or IP address restriction is a better choice.

Pantheism answered 6/10, 2020 at 14:9 Comment(0)
L
5

Because you are invoking your function from a node.js environment, the HTTP Header Referer isn't being set. When you create requests through a browser, the browser will automatically fill this field for you.

You can get a suitable referrer value using:

"https://" + process.env.GCLOUD_PROJECT + ".cloudfunctions.net/createJobDynamicLink"
// becomes "https://your-project-id.cloudfunctions.net/createJobDynamicLink"

This generated URL isn't callable, because it doesn't start with a region, but it means you now have a URL that can be used to identify that the call is coming from a Cloud Function.

To use it, add it to your request-promise options object.

const options = {
        method: 'POST',
        uri: `https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=${dynamic_links_key}`,
        body: {
            "longDynamicLink": makeDynamicLongLink(job)
        },
        headers: {
            "Referer": "https://" + process.env.GCLOUD_PROJECT + ".cloudfunctions.net/createJobDynamicLink"
        },
        json: true
    };

Note: I'd use request-promise-native instead of request-promise - same API but skips loading Bluebird.

Lareine answered 29/12, 2019 at 15:43 Comment(3)
The referer had to be the accepted domains in the google console.Newby
I still get the same error after adding headers/referer field. Also I whitelisted the url. Still doesn't work. Same errorDryad
@Dryad can you try regenerating the API key or creating a new API key from scratch - but whitelist the URL right away with the new key? I ran into the same problem working for another client. I don't have access to the account to test but wondering if that will solve this problem. We temporarily solved using Zack Phan's idea below to set the restriction to none.Swifter
A
1

In my case i had

    <meta name="referrer" content="no-referrer">

in the head so the referer was not being sent

Athirst answered 5/12, 2021 at 22:58 Comment(1)
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Coleen

© 2022 - 2024 — McMap. All rights reserved.