Login/Register
Google Cloud Translate API & Referer Restriction Issue
Asked Answered
Solved phpgoogle-cloud-platformgoogle-translategoogle-translation-api
S

4

5

I have a frustrating issue with the Google Cloud Translate API.

I set up correctly the restriction of the key to some domains including *.example.com/ * (without blank space at the end)

I launch the script on the URL https://www.example.com/translate and i have the following message :

"status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_HTTP_REFERRER_BLOCKED",
        "domain": "googleapis.com",

When i remove the restriction, everything works, but i need the restriction to avoid misuse/abuse.

Furthemore, i use this same API Key for others Google App API (Maps, Auth, etc) and it works perfectly from this domain...

So weird.

Do you have any ideas or any ways to investigate better this issue ? How i can know the referrer Google sees ? (or any external service)

Thanks a lot !!

Edit :

PHP code :

require_once(APPPATH . "libraries/GoogleTranslate/vendor/autoload.php");
require_once(APPPATH . "libraries/GoogleTranslate/vendor/google/cloud-translate/src/V2/TranslateClient.php");
    

    $translate = new TranslateClient([
      'key' => 'xXXXx'
    ]);

    // Translate text from english to french.
    $result = $translate->translate('Hello world!', [
      'target' => 'fr'
    ]);

    echo $result['text'];

Full error message :

Type: Google\Cloud\Core\Exception\ServiceException



 Message: { 
"error": { "code": 403, "message": "Requests from referer 
\u003cempty\u003e are blocked.", 
"errors": [ { "message": "Requests from referer \u003cempty\u003e are blocked.", "domain": "global", "reason": "forbidden" } ], 
"status": "PERMISSION_DENIED", 
"details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", 
"reason": "API_KEY_HTTP_REFERRER_BLOCKED", 
"domain": "googleapis.com", 
"metadata": { "service": "translate.googleapis.com", "consumer": "projects/XXXXX" } } ] } }

Filename: htdocs/application/libraries/GoogleTranslate/vendor/google/cloud-core/src/RequestWrapper.php

Line Number: 368
Skellum answered 31/12, 2021 at 0:19 Comment(8)
How are you adding the restriction? There is any guide that you are following?Simonides
@Simonides Thanks for your reply ! I'm adding the restriction through the Google Cloud Console => API & Credentials You create your Key there and define the restrictions, on the same page there is a guideline to how do it. I respected all but it doesn't work. Weird.Skellum
Hmmmm Based on the documentation, the wild card can be used on the subdomain and/or path, but not for the protocol, so may you need to specify the https: https://*.example.com/*Simonides
@Simonides Thanks for your reply, i implemented it with a lot of hope but it still doesn't work... :(Skellum
Could you please provide a full step by step about how you are doing this process? This might help to reproduce your situationSimonides
@Simonides : Thanks for your help ! First, I go to console.cloud.google.com/apis/credentials?project=XXXX In click on « + Create Credentials » then « API Key » It creates an API Key => I click on « Restrict Key » On this page, I change the application restrictions from « none » to « HTTP referrers » (At this state, if I try my script, it works perfectly.) I add the following http referrers : *.my-domain.com/* And I click on « save » I wait 5 minutes before to try. Once I try, the script fails with the same error message i posted before.Skellum
Is possible for you share the script or a snippet of it? I would like to reproduce the issue, since it seems to be working from my endSimonides
@Simonides : Thanks for your help, i edited the main post and added the PHP script. But from the error message, it seems it's rather an issue from Google API side no ? but i wonder something, is it normal if in the error message, the indicated domain is googleapis.com and not my domain ?Skellum
G
5

I will leave here my insights discussed on the Public Issue Tracker.

The HTTP restriction is working as intended, but the referer is always empty because this is not set by default. However, it can be added manually, so instead of doing:

-$translate = new TranslateClient([
'key' => 'XXX'
]);

You need to specify the referrer:

-$translate = new TranslateClient([
'key' => '[API_KEY]',
'restOptions' => [
   'headers' => [
       'referer' => '*.[URL].com/*'
   ]
]
]);

You have to take into account that this type of requests can be sent from whatever computer (if you have the key) since you’re not restricting the domain where the request is made, only checking who is the referrer (and you can set it manually). Moreover, API clients that run on a web browser expose their API keys publicly; that’s why I recommend you to use service accounts instead. For more information: adding application restrictions.

Regarding the HTTP referer, this is basically a header field that, basically, the web browsers put to let the web page know where the user is coming from. For example, if you click the above link (HTTP referer) your referer field will be this page.

In summary, since you can put whatever referer in the header of a request, this is pretty similar to not having any type of restrictions. Indeed, it’s recommended to use service accounts. To solve this issue easily, add the referer manually in the headers as exposed in the code above.

Goodygoody answered 17/2, 2022 at 10:2 Comment(2)
Thanks a lot Carlos, sorry for the delay ! Your solution fixed the issue, but as you said yourself unfortunately it's not a long term solution but at least it works. Didn't have the time yet to check your long term solution with service accounts, hope it will works right. Anyway thanks A LOOOOOT for the time you spent on this issue !!! You're the best !Skellum
You're welcome, I'm glad it worked!!Goodygoody
G
1

I read the comments and you seem to be doing everything ok. I would recommend you to try:

  • This error message can appear because you set API restrictions in the API key, is this the case? Maybe you’re restricting this specific API.
  • If you aren’t setting any API restrictions, is it possible to try adding an IP instead of the domain just for testing purposes?
Goodygoody answered 1/2, 2022 at 11:47 Comment(12)
Thanks for your reply ! I added restrictions with HTTP referrers and it's the problem. Without restriction = everything works fine. With IP restriction = everything works fine. With HTTP referrers restrictions : BUG...Skellum
I don’t know if we are referring to the same restrictions since every section has the word “restriction” 😂. In the key restrictions page you set the application restriction for HTTP referrers, but in the API restrictions, are you restricting any APIs?Goodygoody
Oh sorry, indeed i misunderstood your comment. So, i set application restriction BUT NOT API restrictions. Only HTTP referrers restrictions.Skellum
Seems very odd, yeah… I know it could sound a bit “stupid”, but could you try set up the API restrictions to specifically allow the Cloud Translation API?Goodygoody
So i added the API restriction to the Application Restriction => FAILS, then i removed the Application Restriction and kept the API restriction only => WORKS Back to the same problem with the Application Restriction... I don't get it... It's driving me crazy 😝Skellum
And to bring more infos maybe : last time, i had an issue with the Google Maps API, a weird issue also. I contacted the technical support and after 30 seconds they found the reason : my financial account was linked with a forbidden country where i lived before. So we fixed it in 2 minutes, easily. Unfortunately there is no direct technical support for Cloud Translate...So i'm on this issue since more than 1 month ! 😭😭😭Skellum
Ohh... Does that mean that this issue is solved?Goodygoody
No why ? It still fails if there is any HTTP restrictions. Back to base 1 unfortunately... :( :(Skellum
Sorry, I completely misunderstood your comment. I’m from the GCP support, do you mind opening a Public Issue Tracker and share the ID here so we can discuss this more deeply? The link is already set up for this component and it’s confidential (only GCP support and you can see it)Goodygoody
Thanks a lot ! I just opened one !Skellum
Can you share the ID so I can personally handle it?Goodygoody
The Public Issue Tracker was magically assigned to me so don’t hesitate to pass the IDGoodygoody
A
0

I had same issue with google translate but not with maps. So maps works with referrer restriction, but translate does not.

The only solution I found, with a restriction in force, is setting up an IP restriction instead of the HTTP referrers (web sites).

Aara answered 4/10, 2022 at 14:6 Comment(1)
Check the solution provided by Carlos CB above, it worked for me.Skellum
C
0

For me the example above gave me some insight and I was able to modify my code to make it work. I am adding a snippet of my code and how I added custom headers for the HTTP request. I hope this gives others some lead or solves their issue.

<?php

// Replace 'YOUR_API_KEY' with your actual API key
$apiKey = 'YOUR_API_KEY';

// Get the search query from the client-side
$searchQuery = "tacobytes";

// Set custom headers for the HTTP request
$contextOptions = [
    'http' => [
        'header' => 'referer: *.yourdomain.com/*',
    ],
];

$context = stream_context_create($contextOptions);

// Make a request to the YouTube Data API with the custom context
$apiUrl = 'https://www.googleapis.com/youtube/v3/search';
$apiParams = [
    'part' => 'snippet',
    'type' => 'video',
    'q' => $searchQuery,
    'maxResults' => 2,
    'key' => $apiKey,
];

$apiUrl .= '?' . http_build_query($apiParams);

// Make the request to YouTube API with the custom context
$response = file_get_contents($apiUrl, false, $context);

// Return the JSON response to the client
header('Content-Type: application/json');
echo $response;
?>
Claudineclaudio answered 29/12, 2023 at 6:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.