Why my Google Apps Script permissions are revoked after few days? - google-apps-script

I made a simple Telegram bot that runs on Google Spreadsheet with a help of Google Apps Script.
It does a lookup in sheets and optionally saves an uploaded file to my Google Drive.
Previously it was a Script attached to the Spreadsheet. Later Google suggested to create an App in Google Cloud Console and assign the script to that App id, so all API calls are accountable.
Script app is not verified and runs in "Publishing status: Test" mode. I only need it to access my account's data.
The permissions I gave to the script (access to Sheets, Drive) get automatically revoked without any notice after about 2-3 days, and the bot stops working. Until I revisit the Shpreadsheet, open Extensions - Apps Script, run any function and it asks for authorization again. Then the bot works for a couple of days more.
How can I make the permissions I give permanent?
Permissions I granted (again) to my app:
Updated menu of the Spreadsheet app:

From Setting up your OAuth consent screen > Testing
Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.
Considering the above you have to get your app to be verified by Google.

Related

Apps Script (Google Sheet) not allowing me to Run Script

I have a fairly simple dataset in a Google Sheet. I created an AutoSort script. I saved it, and when I click "Run," I get the following errors. One from a pop-up, and another from the Execution Log.
Pop-up error:
Authorization required
This project requires your permission to access your data.
*For this error, there is a button to "Review Permissions" and I log in using my google account and then just nothing happens.
Execution Log error:
Warning This project requires access to your Google Account to run. Please try again and allow it this time.
The Owner of this Google Sheet is my personal Gmail account, and I am making these edits and created the script using my business Gmail Admin account. I also tried to access this sheet and run the script USING my personal Gmail account, and received the same error:
Google hasn’t verified this app
The app is requesting access to sensitive info in your Google Account. Until the developer ({mypersonalemail}#gmail.com) verifies this app with Google, you shouldn't use it.
Any insight as to how I can authorize this would be appreciated. It sounds like something small I'm missing.
Also, in my personal email I receive a message with subject:
Review edits to your Apps Script project within your document
and it allows me links to access the worksheet and the script, but I don't see any way to approve the edits, or anything like that.
Expected behavior: What I am expecting is for the script to Run, when I click "Run."
It's not a good idea to mix accounts from different domains, specially when using a free account and a Google Workspace account like you have done because that is the cause of the situation that you are facing.
My hypothesis is that the Google Cloud default project linked to the bounded script is created with the account used to create the project.
If you need that you personal account be the spreadsheet owner the best is to create the script using the personal account, and when needed, create a Google Cloud Standard project (GCSP) using the the personal account. You might try to fix the problem with your spreadsheet and the current Apps Script project by creating a GCSP, as was mentioned previously, by using the account that is the owner of the spreadsheet and linking it to the Apps Script project.
Note: If your script is using sensitive scopes you might have to set the OAuth Consent Screen publishing status to tes and add your Google Workspace account as tester.
Ref: Setting up your OAuth consent screen
Once you have finished the setup of your Google Apps Script project you should be able to use your Google Workspace account to update and run the Apps Script code but any new deployment and new version should be done using your personal account.
If you have access to Shared Drives and are allowed to use them for your spreasheet, consider to move it to a Shared Drive as this will make a lot easier to manage your script.

User access request when GAS run as the user

In a GAS published as webapp bound to a spreadsheet in a public (free) Gmail account, I'm compiling information from many unrelated users into that spreadsheet, where any Gmail user account can access the webapp.
But when script is run as the user, the user can access the app (after user grants permissions to the app), but it stops at point where script accesses the spreadsheet. The user is told to request access. I have to "share" the spreadsheet to the user for the app to function when run as that user, but that is problematic--too many potential users.
If another version of the script is run instead under my account, then user has access to the webapp, but the script cannot access the user's Gmail address. Big problem because the webapp must have the user's Gmail address for security/application access controls.
(The webapp is in development and Google "approval" has not yet been sought.)
How do I have a webapp (a) that modifies content in a central spreadsheet, (b) that any Gmail user can access, (c) where the script has access to Session.getActiveUser().getEmail(), and (d) the user does not need to have edit permissions for that central spreadsheet? The only user-account information that the script needs is the user Gmail address--again for application access control and security. (Since Google provides me a link that gives anyone full access to the spreadsheet (if they also have its URL), can't I give the bound script access to the spreadsheet when run under any Gmail account, where the integrity of the spreadsheet content is managed through the app's functions and internal access controls?)
If there is no solution except to run the webapp under the user's Gmail account and give that user edit rights to the spreadsheet, would that create significant risk (where I don't intentionally/overtly disclose the spreadsheet's URL) that a user could access and alter the spreadsheet beyond the insert/edit functions performed by the webapp? If that risk is low, is there a function I could use in the webapp to automatically grant spreadsheet edit rights to a Gmail account when its Gmail address is pre-registered in the user list for the webapp?
Thank you!
Let me start with c): there is no way to make that Session.getActiveUser().getEmail() works for free Google accounts (i.e. gmail.com accounts) other than for the container / script owner.
Regarding a) b) and d) you might use the Google Sheets API making the calls to it by using UrlFetch Service and a service account instead of the Spreadsheet Service or the Advanced Sheets Service.
Regarding allowing anyone to edit a central spreadsheet, once they open it either by using the Google Sheets apps or by means a web app, they will be able to find the spreadsheet in Google Drive > Shared with me among other places... IMHO the risk in terms of how likely is to have issues is big but in terms of the the impact depends on several factors, i.e. some changes might be reverted by using the version history but spreadsheet might become corrupted. If you have not used Google Sheets version history intensively the best is to get deeply familiar with it before relying on it as a backup / disaster recovery main tool .
From https://developers.google.com/apps-script/reference/base/session#getactiveuser
getActiveUser()
Gets information about the current user. If security policies do not allow access to the user's identity, User.getEmail() returns a blank string. The circumstances in which the email address is available vary: for example, the user's email address is not available in any context that allows a script to run without that user's authorization, like a simple onOpen(e) or onEdit(e) trigger, a custom function in Google Sheets, or a web app deployed to "execute as me" (that is, authorized by the developer instead of the user). However, these restrictions generally do not apply if the developer runs the script themselves or belongs to the same Google Workspace domain as the user.
Related
Use Apps Script URLFetchApp to access Google Datastore Data
Google Service Accounts / API - I keep getting the Error: Access not granted or expired. (line 454, file "Service")

I want to complete the verification of the Google Apps Script

I am creating and hosting a web app with Google Apps Script(html). The screen of 'Unverified app screen' is displayed.
Google workspace is not used.
With over 100 users, access to the app is now blocked.
https://developers.google.com/apps-script/guides/client-verification?hl=en#applicability
I'm trying to request verification of the app by referring to the following article, but I'm stumbling on the confirmation of ownership of Apps Script in step 1.
※google cloud platform project has already been created, and is linked to the Apps script project.
Is there a way to check the ownership of a web page launched with Google Apps Script using the Google search console?
They need to click on the unsafe link and authorize the script.

Unable to open Google xlsx spreadsheet / Also Google Drive permission Blocked

I have a Google Apps Script that I am currently using to successfully open a Google Sheets spreadsheet (read-only shared with my account) and perform some reading functions.
I received another spreadsheet that I would like to run similar processes on.
If I try:
SpreadsheetApp.openById("_______") (which works on the other sheet), I get Exception: Service Spreadsheets failed while accessing document with id _____" with this sheet. This spreadsheet is actually an xlsx on Google Drive (but appears it can still open in Google sheets) rather than a native Google sheet so I figured maybe that was the issue...?
So now I'm trying to instead access it as a Google Drive file using DriveApp.getFileById("____"). However now I get an authorization request to allow my script to access Google Drive. When I authorize it, I get:
This app is blocked
This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.
I haven't found a way to fix this. I'm on a private Google account, not using a company's Apps.
Any ideas?
Found a solution to the permission issue.
To work with Apps Script, I've modified this from #alper's solution which sources #tellowkrinkle's comment.
Do the following:
Go to https://console.developers.google.com and create a new project for yourself
Search for the Google Drive API in the search box at the top, and turn it on
Click OAuth consent screen on the left and set it up.
Assuming your account isn't part of an organization, you'll have to say your app is for external users and in testing
In the required scopes section, add .../auth/docs and .../auth/drive (I'm not sure which needed, it's probably only one of those). This will probably not be available if you didn't complete (2)
Add the accounts you want to use with your copy of gdrive as testers of your app. Only these accounts will be able to use your copy of gdrive, so everyone will have to compile their own (unless someone goes and gets theirs reviewed by Google). I only added my own account because I am the only one using my App Script which uses my Drive.
Click the 3 dots on the top right and select "Project settings". Make note of the "Project number".
Go to your Apps Script. Go to Resources > Cloud Platform project. Insert the project number from (4).
Next time you try to run your Apps Script, you'll be asked to Authorize but this time you'll have the chance to actually do it successfully.

Publishing Google Sheets Addon - site verification

I've built a Google Sheets script that queries my company's API and outputs the data from my platform into a spreadsheet. It takes the username and password using a form and then runs an API call to output the results to Google Sheets.
When I tried to publish the addon, I received feedback that I needed to comply with Google OAuth verification. To get this verification, I need to prove that the domain is mine; although I have access to GA for our site (which isn't working for the verification), I am not the domain owner. So, I was wondering, is there a way to publish this Google addon for my company account and what are the next steps to complying with Google OAuth?