Google API key used in Chromium (and Firefox) does not work

[mweinelt]

Describe the bug

Geolocation support via Google APIs is broken in both Chromium and Firefox source builds.

Steps To Reproduce

Steps to reproduce the behavior:

1. Open chromium or firefox (the source builds)
2. Navigate to a site that requests geolocation (I use https://meshviewer.darmstadt.freifunk.net)
3. Request location (upper right corner)

Expected behavior

The browser should find out where I am.

Screenshots

n/a

Additional context

• The key might be expired? It was added 9y ago in https://github.com/NixOS/nixpkgs/commit/3c60e2ec39b11353779518e39a1d4aad13193b99.
• https://www.chromium.org/developers/how-tos/api-keys/
• Migrating to the MLS API, and away from the Google API, in Firefox' about:config -> geo.provider made it work for me.

Notify maintainers

@aszlig @primeos

[mweinelt]

Request

❯ http post https://www.googleapis.com/geolocation/v1/geolocate\?key\=AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI -v
POST /geolocation/v1/geolocate?key=AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 0
Host: www.googleapis.com
User-Agent: HTTPie/3.1.0

Response header

HTTP/1.1 403 Forbidden
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: private
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Fri, 20 May 2022 12:39:33 GMT
Server: scaffolding on HTTPServer2
Transfer-Encoding: chunked
Vary: Origin, X-Origin, Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0

Response body

{
    "error": {
        "code": 403,
        "details": [
            {
                "@type": "type.googleapis.com/google.rpc.Help",
                "links": [
                    {
                        "description": "Google developers console API activation",
                        "url": "https://console.developers.google.com/apis/api/geolocation.googleapis.com/overview?project=404761575300"
                    }
                ]
            },
            {
                "@type": "type.googleapis.com/google.rpc.ErrorInfo",
                "domain": "googleapis.com",
                "metadata": {
                    "consumer": "projects/404761575300",
                    "service": "geolocation.googleapis.com"
                },
                "reason": "SERVICE_DISABLED"
            }
        ],
        "errors": [
            {
                "domain": "usageLimits",
                "extendedHelp": "https://console.developers.google.com",
                "message": "Geolocation API has not been used in project 404761575300 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/geolocation.googleapis.com/overview?project=404761575300 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
                "reason": "accessNotConfigured"
            }
        ],
        "message": "Geolocation API has not been used in project 404761575300 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/geolocation.googleapis.com/overview?project=404761575300 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
        "status": "PERMISSION_DENIED"
    }
}

[S-NA]

Tangentially related support for geoclue2 by default should be coming in version 102.

[mweinelt]

cc @edolstra, who is supposed to have access to these API keys.

[edolstra]

In the GCP console I don't see anything wrong with the key. But I do vaguely remember that Google was going to deprecate this stuff.

[mweinelt]

"message": "Geolocation API has not been used in project 404761575300 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/geolocation.googleapis.com/overview?project=404761575300 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",

Which is part of the response in https://github.com/NixOS/nixpkgs/issues/173758#issuecomment-1132856489

[edolstra]

Enabling is apparently not free, $5 per 1000 requests, and I have no idea how many requests to expect.

Also, I got some emails from Google:

We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project:

Project NixOS aszlig (id: api-project-404761575300) with API key AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI

The key was found at the following URL: https://github.com/ryantrinkle/nixpkgs/blob/08125c601e274fdaa4051781fa32e8fd8bf46a39/pkgs/applications/networking/browsers/firefox/common.nix

which suggests we shouldn't be using API keys in this manner.

[mweinelt]

According to the Archlinux chromium maintainer Google does not seem to want to support distros any longer. Still waiting for feedback from the Gentoo folks.

which suggests we shouldn't be using API keys in this manner.

We don't really have an option, and neither do other distros.

• https://github.com/archlinux/svntogit-packages/blob/packages/firefox/trunk/PKGBUILD#L32-L42
• https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/firefox/firefox-91.10.0.ebuild?id=9fd8fe1e9f76841532c8bf080a3c665b13071b65#n526
• https://salsa.debian.org/mozilla-team/firefox/-/blob/release/master/debian/google.key

[mweinelt]

Gentoo seems to obfuscate their keys for that reason. They still rely on Google for geolocation and it works for them.

[aszlig]

which suggests we shouldn't be using API keys in this manner.

Back then when I was getting those keys, we got explicit permission to do so, see 3c60e2ec39b11353779518e39a1d4aad13193b99 for the details.

[aszlig]

Also cc @antiagainst, since according to https://groups.google.com/a/chromium.org/g/chromium-packagers/c/ZytNtRam5II they seem to be handling some of those issues since Paweł left.

[antiagainst]

@aszlig: Sorry I think you got the wrong person. I don't know about Google API key and Chromium stuff..

[aszlig]

@antiagainst: Whoops, sorry for the noise, I didn't think that there would be another person with the exact same name at Google.

[aszlig]

Just to inform everyone on the progress, I've got a reply via mail on Tuesday (June 21):

Thanks for reaching out. I've forwarded your issue to the appropriate internal team. (Out of my control) Hopefully they can help.

[m-bdf]

Hi, any news on this?

[aszlig]

Hi, any news on this?

Not as far as I know... we tried multiple times to contact them but haven't heard back so far, maybe @mweinelt has better news.

[mweinelt]

No, I actually lack the contacts for that kind of ask.