How can i hide a token in the firebase function? - google-cloud-functions

i have created subscription form on my gatsby website.
I wanted sent request to activeCampaign with contact data but i couldn't due to cors policy. So I have created firebase function to which i sent data from form and in headers api active campaign token. Everything works but when i go to on my firebase function adress i see activeCampaign token in website.
So if someone gets the address of my firebase function, they will also get an api token for the active campaign. How can I hide this token?

Related

Identity API Scope Approval UI preventing OAuth Verification

I have a chrome extension I am trying to go through OAuth verification with. The requirement is that I do a screen recording displaying the URL with the Client ID in it. When going through authentication an application which appears to be part of the Chrome package called Identity API Scope Approval UI pops up for the authentication. The OAuth Verification team continues to tell me I need to submit with a URL bar. How do I get the URL back?
This line of code is requesting the token.
chrome.identity.getAuthToken({ interactive: true }, function (token) {})
The Identity API Scope Approval UI can be right clicked and the url seen at the top. Maximize the window and you should be able to get a view of the client ID. I also have displayed the HTML with the client ID for good measure.

Sending request from Dialogflow to Appscript with Authentication

I'm having difficulties to send a fulfillment request from the Dialogflow to app script. Please notice I have no issue to send request from app script to Dialogflow.
My goal is to allow the Dialogflow to hit the app script web application and get the data from the integrated google sheet.
However, I could not figure out how to do it. My project network is restricted by the company. So it is impossible to publish the web apps for anyone to use. Then, I need to figure out how to send requests from the Dialogflow's fulfillment to the app script with the authorization like username, password or the OAuth token.
I spend a lot of time to find out the answers and still can not figure out how to make the request from Dialogflow to the app script.
Any help will be highly appreciated. Thanks!!!!
I already tried to send the request from Dialogflow to the app script bypassing the OAuth token. But the response is an HTML page for me to sign in the consent screen which I can not do it through the response. I am wondering is that possible to skip the consent screen. Also, what information do I need to put in the username or password part.

Receive authentication response data from a non-Google service via a Gmail add-on

I'm building a Gmail add-on with 2 steps:
Authorization with Gmail account.
Authenticate to access my service.
Example: The same as Trello add-on:
When I click the button to login, a login form appears like this:
I want to receive data response after sign-in. I've read ActionResponse documentation, but can not find a solution.
How can I receive the data response?
I believe , you are trying to authorize a custom service.
In order to authorize a custom service like trello, you will have to configure oAuth for it.
Create an oAuth service at gmail add-on to request access to trello.
Once the user completes the oAuth flow, you can use the oAuth service to get the access token. Use this token to access the endpoints whenever required.
Refer example
Edit 1:
Action Response
The usage is as follows:
//action
var onTestBtnClick = CardService.newAction().setFunctionName('onTestBtnClick');
//Button
var testBtn = CardService.newTextButton().setText('test').setOnClickAction(onTestBtnClick);
//action handler
function onTestBtnClick(){
//do some action and finally open google.com
return CardService.newActionResponseBuilder()
.setOpenLink(CardService.newOpenLink()
.setUrl("https://www.google.com"))
.build();
}
You need to setup a separate authentication page for your server(3rd party service). The user has to go through the auth process on your page. Once the user successfully authenticates with your page you need to redirect him to the redirect_uri which is passed to your page from the add-on as an url parameter. Script at the redirect_uri will hit your token url endpoint, which you specify when initiating add-ons auth service. If your token url endpoint returns a valid response, authcallback function in your add-on code is triggered which caches the session and lets the user proceed with using your add-on.
Here's a diagram of the overall flow:
Check out this library Google provides to make the implementation easier.
Also checkout my post which goes into more detail on how to connect your 3rd party services to Gmail add-on
Please see this documentation https://isamatov.com/gmail-add-on-connect-non-google-service/
This will provide you the your ans.
You need to the login page url in
setAuthorizationBaseUrl('https://domain/login.php')
The response which you want to receive is need to set in below URL
setTokenUrl('https://domain/response.php')
function getService() {
return OAuth2.createService('Demo Auth')
.setAuthorizationBaseUrl('https://domain/json.php')
.setTokenUrl('https://domain/token.php')
}

How to Sign Into Specific Google Drive Account through Javascript Google Drive API

I am trying to run a script off of my Google Drive through the Javascript Google Drive API. This works fine, but only if I sign into my account on the popup that opens. I wish to sign into the same account every time and so was wondering if there was any way to automate the login of this so as to bypass users having to enter in that login information.
In short, you would have login at least once, everytime after the Google Identity Provider JSON Web Token expires. I am not sure how long this would be with the Goolge Drive API, but typically these tokens may be valid for anywhere from a single request to days long.
Here is the Documentation for the Google API OAuth2
https://developers.google.com/identity/protocols/OAuth2
Refresh the access token, if necessary.
Access tokens have limited lifetimes. If your application needs access
to a Google API beyond the lifetime of a single access token, it can
obtain a refresh token. A refresh token allows your application to
obtain new access tokens.
Note: Save refresh tokens in secure long-term storage and continue to
use them as long as they remain valid. Limits apply to the number of
refresh tokens that are issued per client-user combination, and per
user across all clients, and these limits are different. If your
application requests enough refresh tokens to go over one of the
limits, older refresh tokens stop working.
Google has provided a quickstart guide for implementing a user sign via Google Apis. Google uses the OAuth2 protocol in which you must register with Google as a Client application. Once registered as a Client application, you will be issued a Client ID, which you typically provide to your application in some form of application initialization.
Here is a link to their quickstart guide, which will help you get started:
https://developers.google.com/drive/v3/web/quickstart/js
Note that this is a basic example that does not demonstrate how you may approach persisting a JSON Web Token so that the user does not have to login on every request. I outline a simple approach of managing Authentication in JavaScript and Angular to get you moving in the right direction, but incomplete, direction.
For example, in Angular:
// Configures the required variables before Running an Instance of the App
angular.module("yourModuleName").config(configureApp);
AND
// Executed when the App Instance launches, allowing you to connect to Google APIs when the App starts
angular.module("yourModuleName").run(runApp);
Where configureApp and runApp are JS functions that handle application initialization in the AngularJS Framework. The code in the follow example would retrieve the Apps Google Client ID from their own App's REST API. This is just an example of where you could retrieve these credentials from storage, but most likely is not the most secure example:
var configureApp = function($http,$window) {
// Setup your CLIENT ID from your own REST API (or any other mechanism you may choose)
var httpPromise = $http.get("http://myApp.myDomain.com/config/googleClient");
// Handle the Response from the above GET Request
httpPromise.then(
// Handle Success
function(response) {
// Store the CLIENT ID in local storage for example
$window.localStorage.setItem("GOOGLE_API_CLIENT_ID", response.data.clientId);
// Setup the App Wide variables for Google API
// Client ID and API key from the Developer Console
var CLIENT_ID = response.data.clientId;
// Array of API discovery doc URLs for APIs used by the quickstart
var DISCOVERY_DOCS = ["https://www.googleapis.com/discovery/v1/apis/drive/v3/rest"];
// Authorization scopes required by the API; multiple scopes can be
// included, separated by spaces.
var SCOPES = 'https://www.googleapis.com/auth/drive.metadata.readonly';
// Do more initialization configuration
};
var runApp = function() {
// Initialize the API
gapi.client.init({
discoveryDocs: DISCOVERY_DOCS,
clientId: CLIENT_ID,
scope: SCOPES
}).then(function () {
// Listen for sign-in state changes.
gapi.auth2.getAuthInstance().isSignedIn.listen(updateSigninStatus);
// Handle the initial sign-in state.
updateSigninStatus(gapi.auth2.getAuthInstance().isSignedIn.get());
authorizeButton.onclick = handleAuthClick;
signoutButton.onclick = handleSignoutClick;
});
}
Which function to use with Angular would depend on the desired app lifecycle you need to target in an Angularjs app. This approach can be applied in other JS frameworks like React and Backbone.
To highlight another perspective from the documentation, updateSigninStatus would be a great place to capture the JSON Web Token returned by Google's Authorization request at which point you could store this token in the browser's window.localStorage for re-use.
You then could reuse the token whenever the Google API requires authentication. Tokens typically have an expiration. Until the token expires, you would be able to prevent the API from displaying a login modal.
This does mean you would still have to manage the logic behind the Authorization process using this approach, monitoring any response from Google requesting a token refresh or re-authentication.
Auth0 is a great Authentication and Authorization plugin available in many languages for connecting with Google and many other OAuth2 Identity Providers. The Google Drive API uses their own Identity Provider Service to confirm the Identity of your apps users in tandem with your registered app's Client ID.
Here are links that I found when implementing Authorization for a project that required me to implement Authorization using the Google Identity Provider:
https://jwt.io/
https://auth0.com/
Best practices for authentication and authorization in Angular without breaking RESTful principles?
https://thinkster.io/tutorials/angularjs-jwt-auth
You are saying that all users login to the same Google account?
In that case you have 2 options.
1/ write a server application that has a stored refresh token. Create an endpoint that allows an authenticated user to request an access token.
2/ embed a refresh token in your JavaScript, but make sure that only authenticated users can load the JS

Box file service file actions

When building a File Service App, how can my app send data back to Box? I've been reading about the callback urls to send data to my app, but I don't see how my app can send data back that will update user's Box account, like there is with the Content API.
The token you get from Box in the callback is valid for you to call APIs. Just use it in the header, and you'll be able to call APIs