7

I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started

The first step of interacting with YouTube's API is:

You need a Google Account to access the Google Developers Console, request an API key, and register your application.

And they continue on to show an example where they use the key:

URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status

I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.

Since it's a client-side application, my API key is embedded into the code.

Today, a malicious user scripted something to max out the requests: enter image description here

I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?

I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.

Do I have any other options available to me?

Thanks

Sean Anderson
  • 27,963
  • 30
  • 126
  • 237

7 Answers7

4

Don't think it is a malicious user. I think something's wrong on YouTube's side, since I'm seeing exactly the same issue with API requests made from my app enter image description here

cujo30227
  • 720
  • 7
  • 15
  • WOW!! Really? Holy crap! – Sean Anderson Sep 04 '14 at 19:33
  • 1
    Yeah. There's others seeing the same issue: http://stackoverflow.com/questions/25657245/youtube-data-api-daily-requests-went-from-2-7mn-to-43mn-in-one-day?lq=1 and http://stackoverflow.com/questions/25670351/youtube-api-v3-every-single-request-is-counted-as-300-requests?lq=1 – cujo30227 Sep 04 '14 at 21:05
  • 2
    It seems that every 1 request now 'counts' for 150 – cujo30227 Sep 04 '14 at 21:07
3

You can use restriction to secure your API Key.

Use the REFERERS attribute of the public API key. Go to your project in console developers -> API&Auth -> Credentials

  • If you use Key for browser applications, REFERERS is a reference to a domain.
  • If you use Server key, REFERERS is a reference to a IP. (ip of your server for example)

For example, if you use github.io to make live demo of an application, REFERERS will point on http://user.github.io/*

You can read more register your application

  • Use a server key if your application runs on a server. Do not use this key outside of your server code. For example, do not embed it in a web page. To prevent quota theft, restrict your key so that requests are only allowed from your servers' source IP addresses.

  • Use a browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.

A screen to help you :
enter image description here

mpgn
  • 7,121
  • 9
  • 67
  • 100
  • Browser extensions don't have a referrer by default and can actually modify their referrer by intercepting request headers through chrome.webRequest.onBeforeSendHeaders. :( Same with restricting per-user based on IP Address - they could just modify the IP address since it's being sent from the client. – Sean Anderson Sep 04 '14 at 19:35
2

This was due to a quota cost increase, it's temporarily reverted. We'll announce cost changes in http://apiblog.youtube.com/ and https://developers.google.com/youtube/v3/revision_history going forward.

Ibrahim Ulukaya
  • 12,767
  • 1
  • 33
  • 36
  • Hey, I also said this on the bug report, but I'll respond here, as well. Could you please clarify what you mean by temporarily reverted? Is it YouTube's intent to increase the cost by a factor of 150? That seems egregious. My application currently incurs a cost of 8-10 million points a day. Multiplying that cost by 150 would effectively cripple my application. – Sean Anderson Sep 09 '14 at 16:43
1

It appears to be a major bug. Same problem here - quota usage spiked like crazy starting on Sept. 3 and requests now cost WAY more than the documentation states.

Someone reported it as a defect in their bug tracking system. I suggest everyone affected go there and star the defect to help call attention to it:

brett rogers
  • 6,501
  • 7
  • 33
  • 43
0

I propose the following ideas:

  • You can make sure the user accessing your page is a human (with Captcha, etc.)
  • Hide your API call behind an AJAX call that is triggered by your front-end (like GET /callgoogleapi);
  • The handler of AJAX call can set a frequency threshold, i.e. 2 requests per second. If too fast, the API call is not made, and AJAX replies a message like "User operation too fast".
Zz'Rot
  • 824
  • 1
  • 7
  • 24
  • I mentioned that in my post as well as my concerns with hiding the request behind a proxy. Trying to have my server handle 10 million API requests a day in addition to effectively doubling the response time seems like a bad decision, but the only one apparent to me. – Sean Anderson Sep 04 '14 at 04:27
0

That is correct. When you make your key make sure you use the REFERERS so that even if they do get your key it will not work for them!

John
  • 195
  • 1
  • 11
-1

We also see this error, it seems to be too large deviations. results Overview is 813.844, but the APIs are Used 49,379,348 of 50,000,000 requests today

dolla Thanhcv
  • 1