Passing authentication from one Google Apps Script webapp to another Google Apps Script webapp

Question

I have two Google Apps Scripts in my Google Apps account. Both have been published as webapps with the following settings.

Script A:

Execute as me
Who has access to the web app:Anyone within XXXXXXX.com

Script B:

Execute as the user accessing the app
Who has access to the web app:Anyone within XXXXXXX.com

I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?

Note:

Script A is being used to get\write data from\to a spreadsheet that only I have access. Since my Google Apps domain administrator does not allow sharing outside the domain, I can not set anonymous access to the web app.

Answer 1

I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?

Even though Script A is set up to allow anyone to access it, our goal is to secure it so that only Script B will be able to make a valid request. This can easily be accomplished using a shared secret key that both Script A and Script B have access to. When Script B makes the request to Script A, it simply needs to include the secret key. Script A can refuse any request which does not include the secret key.

Only someone who is able to view the source code to either Script A or Script B will be able to find the secret key. Of course, anyone who obtains the secret key is able to impersonate Script B.

As a further enhancement, you could use the Utilities.computeHmacSha256Signature() method as a way to avoid sending the secret key as part of the request. Both scripts still need to know the secret key, but you can have Script B compute a signature and send that as part of the request instead of the secret key itself.