Access browser cookies from Google Apps Script - google-apps-script

I am new to Google Addon development. I have been working to develop a Gmail addon using the Google Apps script.
My current requirement is to retrieve some information from a website which is authenticated in the same browser (in a different tab). The website supports different authentication types (SAML SSO, Active Directory etc) and require multi factor auth. So it is not possible (or practical) to perform all types of authentication from the Apps Script.
Instead, My idea was to have the user login manually (not the addon script itself) into the site (using whatever authentication is configured for the user) . The login action results in authentication cookies stored in the Browser. I want use those cookies in this Addon script to perform API.
This works fine with chrome extensions.
So, My question is, is it possible to retrieve stored cookies in a browser using the URL name from the Apps Script?

This is strictly not possible. Google Apps Script code does not run in the browser. Although Apps Script shares many conventions and similarities with frontend (browser) development, it actually runs in a sandboxed environment on Google's servers, so it is not possible to access the standard web APIs that you're used to when developing for the browser.

Related

Google Script as a webhook receiver [duplicate]

I want to set up a Push Notification using the Google Drive API and a web hook set up with Google Apps Script. I cannot figure out if this is possible or not.
The part of the steps that I can't figure out are the domain verification steps. I have a web app published with a doGet as below:
function doGet() {
refreshCandidates();
return HtmlService.createHtmlOutput('<b>google site verification</b>')
.addMetaTag('google-site-verification', 'Iu3xxxxxx')
.setSandboxMode(HtmlService.SandboxMode.IFRAME);
}
When I try to verify the url it gives me https://script.google.com/...ZS2/exec as an endpoint. But when I try to verify it is hitting https://script.google.com/...ZS2/exec/ and finding a completely different meta tag.
Has anyone successfully used the drive api and push notifications with google apps script? What am I missing?
Unfortunately, it is no longer possible to verify a GAS Web App url. Up until around August 2019, there was an option to "Register in Chrome Web Store" available under the "Publish" menu in the App Script editor. Back then any Web App so registered would have its URL automatically verified. However, that option has since been removed, and the verification methods available under the search console simply do not work for GAS Web App urls.
Furthermore, even when verification was feasible, it was not possible to effectively leverage Drive Push notifications since all relevant notification information is stored in HTTP headers which are not accessible from a GAS doPost() function.
Google Apps Script is no longer a viable platform for implementing Google API Push Notifications across most services (Gmail, Drive, Calendar, Admin Directory etc.). If you want to stick with Google's cloud offerings, there are alternatives you can explore. Google Cloud Functions is one such option.
UPDATE: Gmail leverages Cloud Pubsub for push notifications and this service has recently been updated to remove the need for domain verification for push endpoints. So, going forward its now possible to use GAS Web App URLs in this scenario.
Currently, it doesn't seem to be possible to verify webapp published using Google apps script using Google site verification from search console.
Feature request to Google was made. The issue can be tracked here. Consider adding a star(on top left) for Google to prioritize the issue.

How to verify ownership of a Google Apps Script in Webmaster [duplicate]

I want to set up a Push Notification using the Google Drive API and a web hook set up with Google Apps Script. I cannot figure out if this is possible or not.
The part of the steps that I can't figure out are the domain verification steps. I have a web app published with a doGet as below:
function doGet() {
refreshCandidates();
return HtmlService.createHtmlOutput('<b>google site verification</b>')
.addMetaTag('google-site-verification', 'Iu3xxxxxx')
.setSandboxMode(HtmlService.SandboxMode.IFRAME);
}
When I try to verify the url it gives me https://script.google.com/...ZS2/exec as an endpoint. But when I try to verify it is hitting https://script.google.com/...ZS2/exec/ and finding a completely different meta tag.
Has anyone successfully used the drive api and push notifications with google apps script? What am I missing?
Unfortunately, it is no longer possible to verify a GAS Web App url. Up until around August 2019, there was an option to "Register in Chrome Web Store" available under the "Publish" menu in the App Script editor. Back then any Web App so registered would have its URL automatically verified. However, that option has since been removed, and the verification methods available under the search console simply do not work for GAS Web App urls.
Furthermore, even when verification was feasible, it was not possible to effectively leverage Drive Push notifications since all relevant notification information is stored in HTTP headers which are not accessible from a GAS doPost() function.
Google Apps Script is no longer a viable platform for implementing Google API Push Notifications across most services (Gmail, Drive, Calendar, Admin Directory etc.). If you want to stick with Google's cloud offerings, there are alternatives you can explore. Google Cloud Functions is one such option.
UPDATE: Gmail leverages Cloud Pubsub for push notifications and this service has recently been updated to remove the need for domain verification for push endpoints. So, going forward its now possible to use GAS Web App URLs in this scenario.
Currently, it doesn't seem to be possible to verify webapp published using Google apps script using Google site verification from search console.
Feature request to Google was made. The issue can be tracked here. Consider adding a star(on top left) for Google to prioritize the issue.

Apps Script consent screen issues with Authorized JavaScript origins

I developed an Apps Script Web App that uses some Google Apis (drive, calendar, etc.).
I wrote Terms and Privacy Policy and requested Google to approve it, and they keep bugging me that I need to remove, from "Authorized Javascript origins", anything that is not hosted on my real TLD's (own domains).
The problem is I need to put on the authorized origins some https://n-blablabla-0lu-script.googleusercontent.com URL's, because those are the origins of the Apps Script itself, where the LOGIN button is.
Basically when someone enters my app, if it is not yet logged in, I show in the app itself a Login button, and once the user logs in, I request the permissions. This is pretty common, and since the Apps Script runs in google platform, it has google on its URL/origin.
I spent ~2 weeks with Google Support trying to explain them that I cant remove those authorized origins of https://n-blablabla-0lu-script.googleusercontent.com, otherwise, I do get this:
idpiframe_initialization_failed: Not a valid origin for the client
The Google Sign-in library requires that the domain registered in the Google Developers Console matches the domain being used to host the web page. Ensure that the origin you registered matches the URL in the browser.
the Web App is embedded on a Google Sites (new) iframe

Get and Use Access Tokens after user has authenticated with a google web app

I have developed a google apps script web app, in conjunction with an MIT App Inventor app, that will/should allow a user to access their own google drive/sheets/documents.
I am having trouble connecting to the web app through the Appinventor app's web component (not a webview), after the user had given their authorization to use the web app via their device's default browser (Chrome).
My Web App is connected to Google Cloud Console and has been verified by the Trust and Safety Team at Google. The app is set to "User who assesses the app" and "Anyone". I can't use the native webview in AppInventor, because Google blocked this off for authentication in 2016.
The web component offers GET/POST/PUT HTTP functions but I have no idea how to get the authorisation codes and tokens for a user in order to access the web app. (Note; the web app has no GUI, it simply receives GET requests and returns text/stringified json output for a range of functions.) I have been able to translate many curl examples in other situations to good effect with the web component, but not for 0Auth.
I have done my best to read up and use the offerings from Google on 0Auth, but just get lost halfway through, as always, nothing I do is quite the same as the examples or documentation provided.
How do I, therefore, construct HTTP GET URLs, with all the various authorization codes and tokens already in place, that will authorize the Web App to work for the user?
A simple request would be like this:
https://script.google.com/macros/s/AKfycbyZ_27nLOKi8ssX........Bz40yAbGfJt_TRswvm6zpY/exec?func=authenticate
which would return the text output "Authenticated"
With a web browser (Chrome) all of this is fairly straight forward for a user. If they are logged into their Google account in the browser they go to the URL provided for my web app, they will be asked to authenticate, and give my Web App access to their google account. Once accepted, 'magic' happens in the browser (any 'magic' happen at the web app end?), and as long as they stay logged in, they can use the browser to send GET requests (URLs with parameters) to the Web App and see the results returned in their browser. Happy days.
In my scenario, I do not have a suitable web browser capable of all of the above. I have a web component that can send GET/POST requests to web services, and handle the server responses. (think of it as a web 'terminal'). I can, therefore (hopefully) construct URLs with all the right content, codes, and parameters. Remember that this has to be straight forward for the user, who will not be interested in 'back end' activities, they will just want to use the app to do things on their google drive.
They need to, I guess, at the very least, perform the authentication in a web browser, to connect their Google account with the web app. Then with the web component connect to the web app using authorization codes and access tokens, as them (their google account) so that actions by the web app occur on their google drive. As stated above, the web app is set to "User who accesses the app" and "Anyone". This is the part I need help with. I do not understand what I need to do to connect the user to the web app without using a web browser.
This is the kind of thing I mean:
https://developers.google.com/gdata/articles/using_cURL
Your setting of Web Apps and goal is as follows.
Web Apps is deployed as Who has access to the app: Anyone.
You want to make users access to Web Apps.
Issue and solution:
In the current situation, there are the following situations for using Web Apps.
When the users access to the Web Apps by each browser, the users can access by logging in to each Google account.
When you want to make users access to the methods (for example, curl command and script) except for the browser, it is required to share the Google Apps Script project of Web Apps with the users.
Unfortunately, it seems that above situation is the current specification. I confirmed the change of this specification at April 11, 2018. Before this change, the users had been able to access to the Web Apps by the curl command and script with the access token without sharing the Google Apps Script project. By the change of specification, when the project is shared with the users, the users can access to Web Apps using the access token.
In this case, it is required to include the access token to the request headers. Because in the current stage, access_token=### as the query parameters cannot be used. Ref
Note:
From this situation, I think that when sharing the Google Apps Script project is not the direction you expect, in the current stage, the Web Apps with Who has access to the app: Anyone cannot be used by the method except for the browser.
References:
Taking advantage of Web Apps with Google Apps Script
Web Apps

Adding external Google APIs to add-on initial auth scopes

I've built a Google Sheets add-on that retrieves data from the Google Search Console API and writes it to the user's spreadsheets.
Since the Search Console API isn't available in the "Advanced Google services" section in Apps Script, I used the OAuth2 library available on GitHub, with the "https://www.googleapis.com/auth/webmasters.readonly" scope. It currently uses separate credentials in the Developer Console.
While the add-on works fairly well, when a user installs it for the first time, he/she has to authorize it using Google's OAuth process for certain scopes that are automatically detected in the script (managing spreadsheets, send emails, do external requests, and so on). After the authorization is completed, the add-on displays the usual add-on sidebar where the user has to do an additional OAuth process, this time for approving access to the Search Console API (via the OAuth2 library mentioned earlier).
My goal would be to include the Search Console scope in the initial OAuth process, so that users wouldn't need to go through the process twice. Unfortunately, the "Scopes" section in the Apps Script Project Properties isn't editable, so I cannot add that manually, and as far as I know there's no way to make it so it gets automatically detected.
Is there any way to do that? Would it make any difference if I were to use the Apps Script credentials for the OAuth2 library that I'm using to access the Search Console API (instead of having a separate set)?
Thanks!
As stated in this documentation, Google Apps Script can interact with APIs from all over the web. This guide shows how to work with different types of APIs in your scripts. You can use the UrlFetch service to make API requests directly.
Make requests to services with OAuth
APIs that act on behalf of a user usually require authorization, often using the OAuth protocol. Apps Script doesn't provide built-in support for the protocol, but there are open source libraries you can use to perform the OAuth flow and send the credentials with your requests:
OAuth1 for Apps Script: Compatible with OAuth 1.0 and 1.0a.
OAuth2 for Apps Script: Compatible with OAuth2.
This link might also help:
Making HTTP Requests Directly
If Google Authentication is desired for external applications, or a Google API is not available yet in this library, HTTP requests can be made directly.
The authorize method returns an authorized Guzzle Client, so any request made using the client will contain the corresponding authorization.
It is now possible to customize the OAuth list of a project via editing its manifest file: https://developers.google.com/apps-script/concepts/scopes
Google mentions that not all Google OAuth scopes are included (I haven't managed to find an exact list), but I've tested adding the Google Search Console scope and it seems to work fine.