Google Api Gateway api key restriction

ishtiak · May 11, 2023, 1:24am

Hello,

For my game, I have a backend storage with google cloud firebase. The database can be accessed through google cloud api gateway. Something like:
https://gcloud-link.uc.gateway.dev/getlevel?key=key_value
to get a level etc.
And key is a regular API Key. When I use an unrestricted key, I can access the api from iOS. But the problem is, when I use a key that is restricted to iOS app only with the bundle name of my game name, it gets 403, permission denied error. Since the key is restricted to ios app with my game bundle, it should not get restricted with the game.

Anyone faced the same? I am trying my game with live build, development version.

Thanks

ClarkHill · May 11, 2023, 8:52am

A 403 Forbidden error usually means that the server denies access to the requested resource. In your case, the reason could be a misconfigured API key or server-side restrictions. It is important to make sure that you have configured the API key restrictions correctly in the Google Cloud Developer Console. Make sure that you have specified the correct package for your iOS app and the correct access settings for the API key. It’s also worth checking if there are any other access restrictions set on the Firebase server or in the code of your app itself. Additional configuration or authorization may be required to access the Firebase database.

ishtiak · May 11, 2023, 10:30pm

Yes, thank you. When I send the request as:

local headers = {}
headers["Content-Type"] = "application/x-www-form-urlencoded"
local params = {}
params.headers = headers
network.request(google_api_gatewaylink .. "/getlevel?key=" .. key_value, "POST", addLevelListener, params)

I get the 403 permission errror, but if I add the game package name in the header as:

local headers = {}
headers["Content-Type"] = "application/x-www-form-urlencoded"
headers["x-ios-bundle-identifier"] = "my.game.package.name"
local params = {}
params.headers = headers
network.request(google_api_gatewaylink .. "/getlevel?key=" .. key_value, "POST", addLevelListener, params)

Then it works just fine.

I was hoping the game package name would be added to the header automatically.

ClarkHill · May 12, 2023, 12:50pm

You have to do everything yourself) The x-ios-bundle-identifier header is iOS-specific and is used to identify the name of the game package. If you are developing for Android or another platform, you may need to use a different header or parameter to specify the name of the game package.

ishtiak · May 13, 2023, 12:27am

Yes, thank you. One concern is that, anyone can intercept the network request the game is sending, and use a third party tool (like postman) to send request with same key and header that will be accepted by the server.

For example, I have an api to CreateNewLevel. I was hoping that an api key restricted to my app would be secured and only the app would be allowed to call the CreateNewLevel. But looks like it’s very easy for anyone to call the api and spam the database with garbage contents.

system · November 9, 2023, 12:27am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.