I have a google apps script that has an API key set as a property (getScriptProperties()). The script is attached to a spreadsheet. Will users of the spreadsheet conceivably have access to the API key? Would this be different if said property were contained in a library the script invoked?
Will users of the spreadsheet conceivably have access to the API key?
Yes, if stored in Script/Document properties. User properties are also accessible, if the user has installed a trigger.
Would this be different if said property were contained in a library the script invoked?
Kind of. As written in resource scoping, Script properties are not shared, i.e., library has it's own instance of script properties. Although it's not shared automatically, you should be careful not to code in such a way to give access to the end users(i.e., The actual fetch should happen in the library. Secrets should never reach user code). It may still be possible to access the tokens through debugger, overriding methods(see link below). User properties are shared.
Related:
Securely Storing API Secrets used in Google Apps Script - Published Library
What is the appropriate way to manage API secrets within a Google Apps script?
Related
I'm creating a Google Workspace Add-On and need to make some requests using OAuth. They provide a guide here explaining how to do so. In the sample code, it's suggested that the OAuth client secret be inline:
function getOAuthService() {
return OAuth2.createService('SERVICE_NAME')
.setAuthorizationBaseUrl('SERVICE_AUTH_URL')
.setTokenUrl('SERVICE_AUTH_TOKEN_URL')
.setClientId('CLIENT_ID')
.setClientSecret('CLIENT_SECRET')
.setScope('SERVICE_SCOPE_REQUESTS')
.setCallbackFunction('authCallback')
.setCache(CacheService.getUserCache())
.setPropertyStore(PropertiesService.getUserProperties());
}
Is this safe for me to do?
I don't know how Google App Script is architected so I don't have details on where and how the code is being run.
Most likely it is safe since the script is only accessible to the script owner and Workspace Admins if it is for Google workspace (which may or may not be an issue).
Well, you can add some security/safety by making use of a container, by using Container-bound script which makes use of Google Spreadsheet, Google Doc or any other that allows user interaction. Or a standalone script but also makes use of other way to connect to UI for interaction. Refer to this link for more detailed explanation on that: What is the appropriate way to manage API secrets within a Google Apps script?
Otherwise, the only way I see that you can do is store the keys and secrets in User Properties. Here's how you can do it: Storing API Keys and secrets in Google AppScript user property
Also you can refer to this link below for more general information on how you can manage or add some security: https://softwareengineering.stackexchange.com/questions/205606/strategy-for-keeping-secret-info-such-as-api-keys-out-of-source-control
Is is possible to give google service-account's access to whole drive instead of just folders?
I'm unable to switch to a new directory using google docs API in python. It was possible to jump into a folder and then create the document there using google drive APIs but I want to use docs API only and I can't see any way to jump into another folder.
Is is possible to give google service-account's access to whole drive instead of just folders?
If you have a Workspace domain, I'd suggest granting domain-wide authority to the service account in order to impersonate the regular user's My Drive and access everything they can access. See Delegating domain-wide authority to the service account for more details about how to accomplish this.
If this is not an option for you, you should share all top-level items on the Drive, since there's no direct method to share the full My Drive.
It was possible to jump into a folder and then create the document there using google drive APIs but I want to use docs API only and I can't see any way to jump into another folder.
You need to use Drive API to move files between folders. Docs API cannot be used for that.
Sidenote:
Not sure if you're aware of this, but please notice that, if you create a document via Docs API, you can only create a blank document, since all fields apart from title are ignored in this method (see documents.create). If you want to add text, change other properties, etc., you'll have to use documents.batchUpdate.
I'm mentioning this since I don't know whether that was the reason you wanted to create the document via Docs API.
I want to publish my API, but I want to limit so users can only execute in sandbox environment (I want to limit production to specific user/customers with specific agreement).
This is a basic functionality in other API managers, but I don't find how to do in WSO2.
I have found this article in Medium, and also noticed that when I create an aplication, a couple of new roles are created (Application/user_application_SANDBOX and Application/user_application_PRODUCTION), but I don't find how to use them.
Deep dive in doc doesn't helped me.
Option 1:
You can use application registration workflow to control key generation for production and sandbox, by sending it through an approval process.
If you want to automate it based on a property or something, you can write a custom workflow extension.
However, this is applied to applications but not to APIs. That means if you allow generating prod keys for an application, all APIs, that the application has subscribed to, are accessible with prod keys.
Option2:
If you want to do this in API level, you can write a custom mediation sequence. Within the custom sequence, you can read the key type (i.e. production or sandbox), subscriber, enduser (if required) etc. and decide whether you want to allow the request or not.
I am a C# software guy by day and a SharePoint beginner. I am using a Content Editor Web Part with SharePoint Online and do not know how to securely store secrets. My SharePoint app must communicate with another application and todo so I must use custom credentials. Because I am in the Dev phase, I am able to hard code the creds inside of my Type Script files, but this is not what I want long term.
My ask is if someone can walk me through the proper strategy for storing secrets using SharePoint Online Content Editor Web Parts to be consumed by the TypeScript/JavaScript.
Thanks
Quite honestly, the proper strategy would be to not use JavaScript at all for sensitive API calls. Sensitive API calls should only be made server-side (so that any "secret" keys, passwords, etc. never reach the browser).
The problem with storing a secret value somewhere and accessing it with JavaScript is that JavaScript would have to decode the value somewhere along the way in order to use it. That means a savvy user could view the source code for your page, open their browser JS tools, and execute the same commands to get the value. Not great for security.
On-premise SharePoint actually has a solution for this called the Secure Store Service, but part of why that works is it's designed for use in server-side code. As of yet, Microsoft hasn't released a client-side API for that service in SharePoint Online (probably because using it with JS would be less secure as I mentioned).
The "proper" strategy depends on your goals. You've got at least 2 options:
If you want real security for your secret key/password/whatever, you'd need to develop a SharePoint Online "Hosted Add-In" which lives on another server or a cloud service like Azure. SharePoint provides "app parts" that wrap hosted add-ins with iframes and let you add them to a page, so you could use that to add your app to a SharePoint page and have it display results from an API call (very similar to how a Content Editor Web Part would look).
If you don't need real security and "security by obscurity" is good enough, then I'd recommend storing the secret value in a SharePoint list and doing some "fake" encryption on it like Base64 encoding. Then decode the value in JavaScript after reading it from the list. If you want to add even more obscurity, you can use PowerShell or JavaScript to make the list hidden so users don't see it in their browser, but that also means you'd have to add/edit values through code.
Looking to create a completely external portal using only HTML5, JS, and CSS to show CRM 2011 data. It does not look like I can use REST or SOAP because they cannot authenticate externally. Does anyone know how I would do this?
Thanks!
To do this, your OrganizationData.svc service would need to be externally accessible, and it would need to function without authentication (or, your authentication would need to happen within your javascript - where the end user would be able to read your source code). Either way is not a wise idea, since all of your data would be visible to the world!
If you are only dealing with internal authenticated users, read up on the oDATA endpoint.
If you want to deal with external and/or unauthenticated users, you'll need to find another way to do this that does all of the data filtering & authorization control you need.
I think we normally achieve this using a intermediary integration service. You could have a service which has access to the Org service through conventional CRM authentication, and which provides a number of methods which can be called anonymously (or by custom security) by client code.
For example, a web page calls the 'int' service's 'getContact' method, passing an email address of the user. The 'int' service validates the user's email address and then retrieves the required data from CRM's org service, using credentials stored in a config file (a CRM user with sufficient permissions to serve the 'int' service's methods). The 'int' service then parses the data and returns it to the client code - which has no knowledge of CRM's existence - perhaps as JSON for usability.