Recommended way to store security token in gmail addon? - gmail-addons

While building gmail add-on, is there a recommended storage for storing secured tokens from a third party application?
Thanks.

You can use the the
PropertiesService
service of the app-script to store the secured tokens.
To set properties
PropertiesService.getScriptProperties().setProperty('DAYS', '5');
To get properties
PropertiesService.getScriptProperties().getProperty('DAYS');
you can find more on
google apps script reference

Related

How to make changes to a single user's google calendar using google apps script

I'm designing a google apps script that is linked to a bot that needs to add and delete events to a specific user's calendar. I need to find a way to do this without giving edit access to all people with access to the script. I was thinking of using the calendar api but that uses oauth2.0. Is there a way to use an api key instead? Another option I was considering was using a service account with domain-wide delagation, but I don't if it's possible to do what I want with it. Any ideas would be helpful.
This is a little advanced, but fesable.
You need to use the Calendar API with a service account and domain-wide delegation and OAuth2. I have described the process in this story on Medium (make sure to read through all three examples), however the steps are pretty much as follows:
Create a service account
Download its JSON key
Enable domain-wide delegation
Impersonate a super-user
Create token with OAuth2
Send request to the Calendar API with Bearer token generated with OAuth2

Can email be deleted from your users' Gmail inboxes programmatically via API?

The "Find and delete malicious emails" page in the Google Workspace Admin Help Center states:
Using the investigation tool, you can identify all users in your domain that have received the message (for example, a phishing email). You can then use the investigation tool to delete the email from your users' Gmail inboxes (note that log data might take up to a few minutes before being available in the investigation tool).
From this, I understand that, assuming you have the right package, it is possible to use the investigation tool to delete the unwanted email from your users' Gmail inboxes.
Can I delete emails from my users' Gmail inboxes via Google App Script using the API? If so, how can I do that?
Currently it is not possible with the Investigation tool
But there is already an existing feature request for exposing the Google Workspace Investigation Tool programmatically.
I recommend you to "star" it to show Google that more people are interested in this feature - hopefully this will accelerate the implementation.
UPDATE:
In th meantime you can use a workaround, e.g. using a service account with domain-wide delegation as suggested by #TheAddonDepot
It is possible via DwDg(domain-wide delegation)
You have to create a service account and delegate domain-wide authority to that service account with the appropriate scopes. There are no explicit instructions for the Gmail API but you can use this guide from the Admin Directory API documentation.
You then use the service account credentials with the GAS OAuth2 Library to make calls on behalf of your existing users to the Gmail API. Note that you can't use the built-in or advanced services for Gmail, you'll have to call out to the Gmail REST API directly via UrlFetchApp.

How to store 3rd party api credentials in google app scripts securely

I'm building a google app script which runs time based to retrieve data from a 3rd party api (non google service) and store it in a google sheet.
I'd like to allow multiple users to use this script. Thus every user should be able to provide his credentials to the script and these should be stored securely.
How do I store 3rd party api credentials in google app scripts securely?
How do I allow a user to input his api credentials?
Thx in advance, I really appreciate your expertise!
- How do I store 3rd party api credentials in google app scripts
securely?
The Properties Service in Google Apps Script is designed exactly for this use case. When your code calls the Properties Service to either store or fetch the API credentials, make sure that you use the getUserProperties() method. This will ensure that each user's credentials are stored securely in their own secret store.
- How do I allow a user to input his api credentials?
The Ui Class in Google Apps Script allows you to generate user input dialogs. Specifically, you'll need to use the prompt() method of the Ui Class to accept user input.

Authorized REST API calls using apps script.

I am building an application that consists of two strongly separated parts:
Backend server is running on AppEngine that access gsuite domain data using Google service account.
Spreadsheet plugin written with Apps Script, that is directly installed by the users.
Spreadsheet plugin should access backend server REST endpoint.
I want to implement authorization for the "Apps Script" -> "Backend Server" connection. The only information I found on this Make requests to services with OAuth
I don't want to implement my own user management and want to use the Google Accounts for authorization. As far as I understand the single way to do this is implement OAuth on the server side and then follow o.
I wonder if there a better approach or best practices to implement this?
Unfortunately, there isn't another mode of "authorisation" besides the one you've already mentioned/explored i.e OAuth.
What I would recommend as an alternate is to use JSON Web Tokens (JWTs).
Twilio's Authy uses it to create user registrations without any PIIs and JWTs in Google Apps Script should help you with that.
Hope this helps.

Drive API - External Sharing

I know that the Google Drive SDK does not show the user email in the value field of the permission object due to privacy concerns. If we don't have that user email address, is there a way to know if a document is shared with anyone outside of the domain?
Also, wouldn't retrieving permissions using the document's owner authentication allow us to see that email address?
You cannot do that using Drive API. However, you can achieve this result using the old and deprecated Gdata DocumentList API