We have a Web App written in Apps Script (using spreadsheets on each user's domain) and using ScriptDb (just to store some specific information from each user's domain.)
This is the scenario in terms of access to each piece:
script project (the code): "private to only me"
published web app: "execute the app as the user accessing the web app" and "anyone has access to the app"
this web app will be registered in Chrome Web Store
And these are my questions in terms of access to the information:
How secure is the code of this web app? (who can access?)
How secure is the data stored on ScriptDb? (who can access?)
What are the chances if any, of somebody hacking into the Script code or the ScriptDb data?
Thanks, Fausto
I try my best to give you what I best know of, anyone please feel free to correct me if I am wrong.
ScriptDB is tie to your account and if in the case where your code is only share to you, it will be only you able to access it and IIRC if the app execute as the user accessing the web app, it will be that user's scriptDB and nothing to do with yours.
So if you ask how secure is your code, I think one of the way to access all your code is when your account got hacked and the person will be able to access all your codes and the data store in ScriptDB. As for somebody hacking into the Script code or ScriptDB data chances, I think is pretty low if you keep your account safe.
Related
I'm trying to write a Python program that uses Google Drive to do some custom backup and sync work from my Linux desktop.
I started using the PyDrive2 library, and followed its recommendations on how to sign up for Drive API access. When I run my program, it accesses Drive as I'd expect it to, but my authorization expires after a few hours, which is not going to work for a program that runs in cron. I thought this might be because my app is not verified, so I looked into verification, but it's asking for things like a my application's home page. Mine isn't a web-based application, so I don't have one.
Is there a good way to access Google Drive APIs from a non-web application?
if your access is expireing after only a few hours it sounds like you are not requesting offline access and storing the refresh token for later use.
If you followed Quickstart pyton You may have noticed this section. The users credetinals that being the refresh otken and the access token are stored in token.json for future use by your application.
# The file token.json stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
if os.path.exists('token.json'):
creds = Credentials.from_authorized_user_file('token.json', SCOPES)
I thought this might be because my app is not verified, so I looked into verification, but it's asking for things like a my application's home page.
Your application only really needs to be verified if you are going to have other uses using it. If your only using it yourself then you really only need to remove it from testing phase and put it into production then your refresh tokens will last longer then seven days.
You could try to use a service account but i don't know of anyone who has gotten service account authorization to work with curl.
I have to write a small reservation web app to be used inside the company where I work. I decided to try out Google Apps Script (GAS). In short, the user must be able to select any equipment in a list and submit it along with a date he's planning to use it and his identification (this small system must implement the complete CRUD).
The environment:
Google Spreadsheet as a database
Interface made with GAS published as a Web App
The app will be accessible just to members of the company's domain, but I'm developing it in my personal account for now.
In the development environment, everything works fine. Then I deploy it as web app the project (Execute app as: Me; Who has access to the app: anyone). When anyone acess the link, I can't retrieve the user information (Session.getActiveUser().getEmail()). It always retrive the developer information (my information). If I switch the "Execute app as" to "User accessing the app", then the app can't access the spreadsheet that is making the role of the database. In the development environment this works fine.
The rest of the web app is working fine. I just wanted to get and record the identity (email) of who made de reservation in an automatic way (not by asking the user to type this information).
Do I have to setup something else before people can access it?
Thanks in advance.
[EDIT 1]: The situation changed a little bit. I made a few more tests and it seems that the deployed web app get updated just when I save it as a new version in the project. Anyway, I still can't retrieve the active user email. The Session.getActiveUser().getEmail() now returns a blank string.
[EDIT 2]: Following Sujay Phadke's answer bellow, I tried migrating the web app to the company's environment. It worked like a charm.
Juliano
It's well documented here: getActiveUser
When the webapp permissions are set as "execute as me", it seems that the returned userid string will be empty. It also depends on your specific domain permissions as mentioned there.
Despite fervent searches, I don't believe I have come up with quite the results I am needing. Within the Google Apps for Business Administrator console, under "Reports" there is the "Audit Log." This audit log nearly displays everything I need; however, I am needing the actual name of the file instead of the fileID provided in the report.
The ultimate endgame is to generate, via Google Script, an automated daily report that gives this same data to a few users daily. Is there any means by which I may access this data? I have been pouring over the APIs, and perhaps I've missed something, but I don't feel that I've found what I needed.
Any thoughts and help would be greatly appreciated. Thank you for your time and considerations.
This is possible using the Google Apps Admin Audit API. This uses OAuth and that is a bit tricky to setup sometimes. You can see the set up process in this video that we did. Except as the example shows, instead of the YouTube APIs enable the Apps Reporting and Audit APIs in the API Console.
I built out a simple example of this that you can see in operation. Access this URL after having been logged in as the domain admin. It will automatically create a Spreadsheet in your Drive with the latest Audit logs exported. This is a web app that is deployed as "Run as user".
I've open sourced this Github here. You should substitute in the right OAuth2 Client ID/Secret. The code is pretty rough so you'll want to clean it up. I am selectively logging a few columns but if you look at the API docs, there are other things you can log as well.
Once the OAuth token is set up you can have this run on a trigger as well as long as you refresh the token.
Hope this helps.
When I deploy my GAS project as a web app, I choose to execute the application as the user accessing it. The option for 'Who has access to the app' I can choose just myself, or everyone in my domain. This I understand.
However, in our Google Apps environment - the domain I belong to is one of many 'sub-domains' under one 'tld' domain to which I have an admin account. I don't have privileges to go full exploring in the control panel to see the exact organization, but I know that I can share docs to everyone in all domains via my Drive. How can I get my script to operate in a similar manner?
There are a couple of good resources on this topic.
Stackoverflow question which links to this
Google support answer
With Google Drive, "You cannot restrict sharing to the users in a single domain". I haven't found an answer to this, but this was the closest that I could find. It seems that you will just have to test if "Anyone in my domain" actually means "Anyone in my organization." If you can test this and report back, I will update this answer.
My app wants access to files it creates only. When I revoke access by going to my google drive and "Manage apps", and then later re-grant credentials to the same app, I lose access to previously created files and they don't show up when listing files. This seems like a bad design decision, but perhaps it is a bug. Is it intentional?
This is by design, and is part of Google's dedication to putting the user's privacy first in Google Drive. When an app is uninstalled, all oauth tokens are revoked and the app loses the ability to open these files.
Sorry if this is a nuisance for you, but the alternative might be surprising for some users to find that an app still has access long after uninstalling and reinstalling.