Gmail Add-On Multiple configuration - gmail-addons

I am researching building a Gmail Add-On.
We have several clients that host their own sites, plus clients that are we are hosting.
If the client is self hosted their URL is https://api.clientname.com
If the client is hosted by us the URL is https://api.company.com
Need to store that plus a few other settings in a configuration somewhere on the server like appsettings.json.
Is this possible in a Gmail Add-on using a single build and deploy method?

I hope this helps.
1.Try to store the appsettings.json in some server. This should be accessible through http requests.
2.Whenever you need to access this settings, use URLFetchApp of the appscript to fetch the file.
You can read more about URLFetchApp here
Or if you would like to cache it , refer this.

Related

Reposting: Not possible to use Google login authenticator button for Google webapp [duplicate]

When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.
I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?
I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.
So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.
As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.
According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com
To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.
From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain
Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.
Related
How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
User access request when GAS run as the user
While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:
Webapp#1:
Run as: Me
Access: Anyone even anonymous
Webapp#2:
Run as: User
Access: Anyone
You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.
References:
Authenticate with a server - Here, webapp#1 acts as server and webapp#2 acts as client.
ScriptApp.getIdentityToken()

WhiteListing dynamic URLs for Google Sheets Add-On for user configured URLs

I’m trying to create a Google Sheets add-on which uses an API to the clients own finance system which is deployed on their own web site. The url of the site is configurable so we will only need to deploy a single version of the add-on and all our clients will be able to configure it for their own system.
//getServiceURL() returns the configured URL for the clients system, so https://clientsite/financeapi/
restRequest = UrlFetchApp.fetch(getServiceURL(), params);
The problem I have is that it looks like I need to explicitly reference the urls in the ‘urlFetchWhitelist’ in the appsscript.json file. Otherwise I get the error:-
Exception: Request to https://clientsite/financeapi/blahhh/blahhh failed because the URL has not been whitelisted in the script manifest. (line 510, file "Service")
So I would need to add this to the appsscript.json file.
"urlFetchWhitelist": ["https://clientsite/financeapi/"]
Is there any way round this so that it doesn’t need to be explicitly defined as I don't know these URLs at design time as these are configurable by the client?
If there isn’t I guess we could ask each client what URLs we need to contact and add those to the WhiteList. In which case, is there a limit on the number of whitelisted URLs as we will have hundreds. If we are defining these client URLs could this list be visible to the end user as we can’t have these visible to all users for security reasons.
There seems to be no way to directly bypass this requirement, but I guess you could create web app that would act as a layer between your add-on and the API:
Addon <-> WebApp <-> API
This means that you would only need whitelist the web app's URL and then you can handle any changes to the API URL within the web app with full flexibility.

Authorized REST API calls using apps script.

I am building an application that consists of two strongly separated parts:
Backend server is running on AppEngine that access gsuite domain data using Google service account.
Spreadsheet plugin written with Apps Script, that is directly installed by the users.
Spreadsheet plugin should access backend server REST endpoint.
I want to implement authorization for the "Apps Script" -> "Backend Server" connection. The only information I found on this Make requests to services with OAuth
I don't want to implement my own user management and want to use the Google Accounts for authorization. As far as I understand the single way to do this is implement OAuth on the server side and then follow o.
I wonder if there a better approach or best practices to implement this?
Unfortunately, there isn't another mode of "authorisation" besides the one you've already mentioned/explored i.e OAuth.
What I would recommend as an alternate is to use JSON Web Tokens (JWTs).
Twilio's Authy uses it to create user registrations without any PIIs and JWTs in Google Apps Script should help you with that.
Hope this helps.

Google Apps Script - Server Side Authentication

I would like to use GAS script as some sort of a web service. Basically, I would like to post some parameters and then using Drive service do some manipulations of Google Doc and all of this has to be done from backend, without use of browser. Now I have issue with authentication - When I deploy GAS as a Web App (Execute the app as user accessing the app, Anyone can access app), when trying to execute script via Http request, I get Google Login response (/accounts/ServiceLogin). Obviously user has to authenticate access. I was not able to find if we can apply OAtuh at that point. So my question is - What can be done to achieve this? Is there any mechanism that can be used to atuhenticate to GAS from a server side? Or am I forced to use browser with GAS?
You could have your own authentication check in the Apps Script code. You would have NO security settings with the publishing, but implement your own password check in the Apps Script code. You would set the publish "Execute the app as:" setting to ME, and the setting of "Who has access to the app:" to Anyone, even anonymous. That allows the app to be run by anyone with no authentication. Then create your own authentication by passing a password in the URL search string.
Even though putting a password in the URL search string is encrypted over a HTTPS connection, it's still considered "bad practice", because the search string could be stored in plain text in the browser history. But you aren't going to use a browser.
So, your Apps Script App would read a search string parameter from the URL, and either allow the script to be run or not. You would be implementing your own authentication system.
But you need to evaluate and decide what the security is on your server, or whatever server is sending the request. If you can send a HTTPS request to an Apps Script with a password in the URL search string, and it's not a security concern on your server, or whatever server is sending the HTTPS request, then you can consider that and make your decision.
If you want to get a response back from Apps Script to your server without anything opening up in the browser, use the Content Service:
Google Documentation - Content Service

Authenticate Google Apps Script user via HTTP

In the scenario of scripts that need authentication to run (run as service account, locked down sharing settings, etc) is there a way to authenticate as a Google user via an HTTP tool like cURL, UrlFetchApp, or even PowerShell scripts from Windows Server environments?
You are going to have to do a little leg work on this one.
Firstly, when you publish your apps script, make sure to change the "who has access to the app" to something like "only myself".
Then you need to see what happens when you try to hit that URL from an external service without authenticating. There may be some help from the error codes you are likely to receive.
I imagine you can then use the following documents to Authenticate for Google Services IN GENERAL. Then you will most likely have to pass a sessionID or Accesskey of some sort. I only have a brief understanding of OAuth, but I do imagine that you may be able to set up a more permanent connection between your other server and your particular Google Apps Script.
I hope this helps.
Jacob