API blocked

Resolved

(@wigglepit)

Hello,

I am getting an error when trying to use “Websites” application restrictions:

-Calendar is public
-Calendar ID is correct
-API key set up correctly with HTTP referrer restriction e.g. *.sitename.org/*
-API Restrictions are set to “Don’t restrict the key”
-Followed all steps here, have tried 3 times with 3 separately generated API keys: https://docs.simplecalendar.io/google-api-key/

The calendar is visible when I set “Application restrictions” to “None”. But when I set it to “Websites” and add the following properties, it immediately breaks and throw the error:

*.sitename.org/*
https://sitename.org
https://sitename.org/calendar
https://sitename.org/calendar/

This is the error:

While trying to retrieve events, Google returned an error:

{
  "error": {
    "code": 403,
    "message": "Requests from referer \u003cempty\u003e are blocked.",
    "errors": [
      {
        "message": "Requests from referer \u003cempty\u003e are blocked.",
        "domain": "global",
        "reason": "forbidden"
      }
    ],
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_HTTP_REFERRER_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "calendar-json.googleapis.com",
          "httpReferrer": "\u003cempty\u003e",
          "consumer": "projects/xxxxxxxxxxxx"
        }
      },
      {
        "@type": "type.googleapis.com/google.rpc.LocalizedMessage",
        "locale": "en-US",
        "message": "Requests from referer \u003cempty\u003e are blocked."
      }
    ]
  }
}


Please ensure that both your Google Calendar ID and API Key are valid and that the Google Calendar you want to display is public.

Only you can see this notice.

Removing the HTTP referrer restriction immediately makes the calendar work – however this is obviously not ideal. How can we get the calendar plugin to identify itself with the referrer correctly? It appears that the referrer is <empty>.

Thanks!

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Support john
(@johnweru)

10 months, 3 weeks ago

Hi there,

Thanks for reaching out to us.

In regards to your question here, unfortunately, it’s not possible to restrict the API key by website. If you want to carry out restrictions, it should be by the IP address of your server since we get events from the backend. I would recommend that you consult your host for this information.

I hope this helps.

Kind Regards
Thread Starter wigglepit
(@wigglepit)

10 months, 3 weeks ago
Thanks. I removed the restriction by website, and added it by IP, using the IP address provided by my host, and now I’m seeing this new error. What do I do now? The IP address it says is originating is now the same IP address as my server / host. I don’t know where the originating IP came from?
```
While trying to retrieve events, Google returned an error:{
  "error": {
    "code": 403,
    "message": "The provided API key has an IP address restriction. The originating IP address of the call (34.173.182.72) violates this restriction.",
    "errors": [
      {
        "message": "The provided API key has an IP address restriction. The originating IP address of the call (34.173.182.72) violates this restriction.",
        "domain": "global",
        "reason": "forbidden"
      }
    ],
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_IP_ADDRESS_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "calendar-json.googleapis.com",
          "consumer": "projects/xxxxxxxxxxxx",
          "callerIp": "34.173.182.72"
        }
      },
      {
        "@type": "type.googleapis.com/google.rpc.LocalizedMessage",
        "locale": "en-US",
        "message": "The provided API key has an IP address restriction. The originating IP address of the call (34.173.182.72) violates this restriction."
      }
    ]
  }
}
Please ensure that both your Google Calendar ID and API Key are valid and that the Google Calendar you want to display is public.Only you can see this notice.
```
Additionally, I am using this plugin on another site (same host, though) and on that one I checked and I *am* restricting by websites (and not IP) and that calendar is working fine.
- This reply was modified 10 months, 3 weeks ago by wigglepit.
Plugin Support john
(@johnweru)

10 months, 3 weeks ago

Hi there,

Thanks for keeping in touch with us.

In regards to the query here, please add the (the originating IP) highlighted in the error to the list of allowed IPs in the IP address restrictions section.

Let us know how it goes.

Kind Regards

Thread Starter wigglepit
(@wigglepit)

10 months, 3 weeks ago

Thank you – I can’t do that because it will work temporarily, but the IP at our host changes and I’d have to add over 60 to *almost* cover all of them (hundreds to cover them all)

I restricting by ‘websites’ on another site using this plugin. Not sure why that one is working, but I can’t do that with this one? Is there no other way than by IP?

Plugin Support john
(@johnweru)

10 months, 3 weeks ago

Hi there,

Thanks for keeping in touch with us.

In this case, I’m afraid the restriction can only be via IP address as it currently stands. Website restrictions will not work. It is likely you are viewing a cached version of your calendar in the other site where you suggest that website restrictions do work.

About your host IP changing, unfortunately there isn’t much we can do from our end about that. I would recommend requesting your host to provide you with a static IP address. You can then use this IP address to carry out the restriction.

I hope this helps.

Kind Regards

Thread Starter wigglepit
(@wigglepit)

10 months, 3 weeks ago

Hello,

Thanks for your time troubleshooting (and providing this plugin in general!).

I just tested the other site that is restricting by website, and it is still working and current (not cached). I just dded a new calendar event, cleared the calendar cache, and it showed up on the website. This particular website was setup a few years ago, maybe something was grandfathered in? I’m happy to share it with you if you can give me an email (don’t want to link to it on a public board).

Thanks again

Plugin Support john
(@johnweru)

10 months, 3 weeks ago

Hi there,

Thanks for staying in touch with us.

About your request here, what you can perhaps do is submit a support ticket here: https://simplecalendar.io/contact/ .

I hope this helps.

Kind Regards
Thread Starter wigglepit
(@wigglepit)

10 months, 3 weeks ago
Will do – thanks!

Appreciate the support and plugin 🙂
- This reply was modified 10 months, 3 weeks ago by wigglepit.
Oliver
(@umik)

8 months, 1 week ago

Hello

have you found a solution for this ? i have the same issue

Thread Starter wigglepit
(@wigglepit)

8 months, 1 week ago

Hi Oliver,

I sent my info to the plugin developer by email and they followed up with me and offered good support. But as it turns out, I gave up on restricting the key, beccause I found this out and sent them this:

I read that restricting the API Key may not be necessary if you restrict the key for only the Google Calendar API, and then set quotas to prevent abuse. So I just set really low quotas and it seems to be working. Will that be okay, or should I pursue it further?

And they responded:

In this case, yes, you can implement custom usage and spend limits in your account settings to act as a safeguard against unexpected usage due to leaked keys or errant scripts. Also, regular key rotation would be fine as well.

So I just did that and let it be. Not sure if this helps or not. Good luck!

Plugin Support john
(@johnweru)

8 months, 1 week ago

Hi Oliver,

I hope that you are fine.

About your question here, the plugin only currently supports restriction via IP and not Website restriction. If however, you do not have a static IP, then I would suggest foregoing the API key restriction and instead setting usage limits to your account, as well as carrying out regular key rotation.

I hope this information helps.

Kind Regards