In a google apps script project I have cases where I need to store some sensitive user's data for later executions. Let's say during the first execution user provides some data and the second time the script uses that data.
There are a bunch of ways to accomplish that, like save in some google doc or save it g drive. However, the most clean way I think would be store it in PropertiesService.getUserProperties()
It works perfectly, however I'm not sure whether this approach is secure enough. It's not clear how this data is stored. I was not able to find any technical description. I went through the cookies, It looks like it doesn't use the cookies. Perhaps, it's stored somewhere on the G servers, but would some other scripts be able to read the data which I put inside the UserProperties? Also, it's not clear what is a life span of the set properties, could they reside there forever, until some script deletes it?
UPDATE
In the Going GAS book in a chapter regarding the Properties Service I found a few interesting notes
When Apps Script first started, UserProperties were accessible by a specific user, and not tied to a particular script. Nowadays, each script has its own UserProperties class that can be accessed only from within that script by a particular user.
This means that any data which is stored in the UserProperties by script1 under user1 is not accessible in script2 under user1. I actually ran a quick test to confirm that.
Another note
The Apps Script Properties service is in the cloud, and therefore not tied to any particular machine, environment, or operating system.
This partially confirms my assumption that the properties are stored on the G Servers where the *.gs script is run.
Taking that into account I would say that using Properties Service is reliable and secure to some degree.
Would be glad to hear any comments about this.
Depends on how you scope it.
It can be scoped to one script:
var scriptProperties = PropertiesService.getScriptProperties();
scriptProperties.setProperty('SERVER_URL', 'http://www.example.com/');
One user of a script
var userProperties = PropertiesService.getUserProperties();
userProperties.setProperty('DISPLAY_UNITS', 'metric');
Or one document
var documentProperties = PropertiesService.getDocumentProperties();
documentProperties.setProperty('SOURCE_DATA_ID', '1234567890abcdefghijklmnopqrstuvwxyz');
And this is the access table, from the docs.
+--------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------------------+
| | Script Properties | User Properties | Document Properties |
+--------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------------------+
| Method to access | getScriptProperties() | getUserProperties() | getDocumentProperties() |
| Data shared among | All users of a script, add-on, or web app | The current user of a script, add-on, or web app | All users of an add-on in the open document |
| Typically used for | App-wide configuration data, like the username and password for the developer's external database | User-specific settings, like metric or imperial units | Document-specific data, like the source URL for an embedded chart |
+--------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------------------+
There is no clear indication as to what the life span of the properties are or where exactly are they store but from the quotas doc, we know that:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With