Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limiting Google Apps Script Web app to certain users only

Tags:

web-applications

google-apps-script

user-permissions

Making a web app that makes changes to certain (Sheets) files on my Google Drive (i.e. user will use the app as me), but I would like to restrict the Web app access only to certain users. When deploying app, I only have the options of making it private or public. One solution would be to use the session class to see if a correct user is logged in.

function onAppBegin(){

 if (Session.getActiveUser().getEmail() != "[email protected]") return null;
 accessGranted();
}

However, I am concerned if this crude method is actually safe and is not hackable?

like image 556
Zeeshan Ahmad Avatar asked Aug 12 '17 17:08

Zeeshan Ahmad

1 Answers

The method is too safe: nobody will have access. If your web app is deployed with the option "Execute the app as: me", then Session.getActiveUser().getEmail() will probably return the empty string. See documentation:

The circumstances in which the email address is available vary: for example, the user's email address is not available in any context that allows a script to run without that user's authorization, like [...] a web app deployed to "execute as me" (that is, authorized by the developer instead of the user). However, these restrictions generally do not apply if the developer and the user belong to the same G Suite domain.

The issue is that even though the user logged in to access the web app, they did not authorize it to do anything on their behalf, e.g., find their email address.

If the web app is deployed to be executed by "User accessing the web app", then they will be asked to authorize it, and so the web app can learn their identity. But then, it will only be able to modify those files that the user already can modify directly.

The way I get around this difficulty is by giving the authorized users a key to the web app (some long random string). They access the app by going to https://..../exec?key=mykey, and the app checks the key as follows:

function doGet(e) {
  if (e.parameter.key == "mykey") {
    var ss = SpreadsheetApp.openById("spreadsheet Id");  
    // modify the spreadsheet
  }
}

Now, this is even more crude than your original approach, but it works. If a wrong person gets the key, they will be able to use the app but the damage will be limited to what the app can do. It's not nearly as bad as someone getting access to your Google Account.

like image 180
410 Avatar answered Oct 02 '22 12:10

410
Sign in to Comment

Related questions

Parse XML using Google Apps Script
Google apps script - iterate folder and subfolder
How to Call Google Apps Script from Web Page
How to evaluate a spreadsheet formula within a custom function?
"SpreadsheetApp.getUi() cannot be called from this context"
Google Script Library: Project Key deprecated?
Google Apps Script Regular Expression to get the last name of a person
How to remove data validations?
How to use <img src > in google apps script
React with Google Apps Script [closed]
Convert a string to date in google apps script
How do I deactivate GMail meter emails?
Line break in a message
Google Apps Scripts - Extract data from gmail into a spreadsheet
How do I create a file in a folder?
Google Apps Script How to link to JS or CSS file on Google Drive
Build google chart by using google script and query function
How do you tell whether text fits within its bounding shape?
Google Apps Script logs (web app) don't show up in the new interface

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!