How to get OAuth access to GMail? - gmail

How can you get user-initiated access to read their email? It seems there is OpenID, OAuth, OAuth2 and random other solutions.
The best I came up with so far is OAuth2 with scope=https://mail.google.com/.
Is there any permission that would just give me read-only access to the mail and ideally not scare the user with a permission notice like:
"View and manage your mail
Perform these operations when I'm not using the application"
All I'd like, if possible "View your mail".

The previous answer is no longer accurate. The recently released Gmail API allows a 'read only' scope, among others, which can be found here: https://developers.google.com/gmail/api/auth/scopes.
The 'read only' scope is: https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.readonly
Read all resources and their metadata—no write operations.
https://www.googleapis.com/auth/gmail.compose
Create, read, update, and delete drafts. Send messages and drafts.
https://www.googleapis.com/auth/gmail.send
Send messages only. No read or modify privileges on mailbox.
https://www.googleapis.com/auth/gmail.insert
Insert and import messages only.
https://www.googleapis.com/auth/gmail.labels
Create, read, update, and delete labels only.
https://www.googleapis.com/auth/gmail.modify
All read/write operations except immediate, permanent deletion of threads and messages, bypassing Trash.
https://www.googleapis.com/auth/gmail.metadata
Read resources metadata including labels, history records, and email message headers, but not the message body or attachments.
https://www.googleapis.com/auth/gmail.settings.basic
Manage basic mail settings.
https://www.googleapis.com/auth/gmail.settings.sharing
Manage sensitive mail settings, including forwarding rules and aliases.
Note: Operations guarded by this scope are restricted to administrative use only. They are only available to G Suite customers using a service account with domain-wide delegation.
https://mail.google.com/
Full access to the account, including permanent deletion of threads and messages. This scope should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes.

The GMail API documentation says there is only one scope giving access to everything.
There is also a feature called GMail Inbox Feed which could be what you want, but it is only available on Google Apps domains.

Related

If a google doc/sheet is made public, how easily can other people find the URL?

Is it easy for people to find "public" google sheets/docs?
Context: Storing some semi-sensitive data (individual user info, of non-sensitive nature) for an app beta-test in google sheets. Planning to migrate to some DB in the future, but for now, just using JavaScript to pull the data directly from the google sheets (since there are visualizations being dynamically updated by the sheets).
Yes, it's easy to get information. Search engines may index and cache the information. Then, there are bots, crawlers and scrapers. Do NOT put (semi)sensitive information in public. Implement google-oauth properly with google-sheets-api to get information. You can also use service-accounts
Yes, it can be easily accessed.
According to the official Google article Share files from Google Drive: when you set your file's General Access setting to public:
Anyone can search on Google and get access to your file, without signing in to their Google account.
What you can do:
In the case of your app beta-test in google sheets data, you may want to reconsider to change your file's General Access setting to one of the following (in descending order of security):
Restricted - Only people that you manually give access to can view or edit your files. When you click the share button, a prompt will show and you may manually add the users who can view or edit your files:
Afterwards, you may select a role for those users and then they can be notified afterwards through email.
On the other hand, you can share the link to others. A prompt will show like the one below if you send the url through Google Chat:
You may opt to select Don't give access which will result in the following view on the other user's end:
This would mean that if unauthorized users get hold of the file URL, they will still need to send an access request. If other users submit the request, an email notification will be sent to your mail inbox. Other users who also own the file will also be notified by mail.
Your Organization - If you use a Google Account through work or school, anyone signed in to an account in your organization can open the file. If you are an administrator in a work or school workspace, you may set how members can share content within the organization. The administrator can prevent the sharing of content with group members outside your organization. If external sharing is prohibited, only group members who are in your organization can access the group's shared content.
Anyone with the link - Anyone who has the link can use your file, without signing in to their Google Account. This option is least recommended because if the URL is leaked to unauthorized users, they can easily access the file.
References:
Share files from Google Drive
Share content with a group
Don’t make it public unless you want the public to see it. Use oauth to access.

Read only permission/scope for DocuSign API

As mentioned on the link https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-code-grant, there are three access scopes DocuSign allows to fetch user's data : signature, extended and impersonation.
I am looking for a scope which allows me only read access. I need to build a dashboard of various activities/updates (getting the status of all envelopes, etc) of all the users of DocuSign at my company.
As per my understanding, I need 'signature' permissions/scope at-least as described under heading "Admin consent for internal applications" on https://developers.docusign.com/esign-rest-api/guides/authentication/obtaining-consent.
This means I will have access to create and delete the envelopes as well. Couldn't understand the 'extended' scope as well (as per my reading, it is helping to extend the access tokens validity and usage of refresh token any number of times).
Is their any other permission type (read scope only) that I can use based on my criteria?
Re read only scope. Not at this time. And since you want stats for all users' envelopes, you'll need Account Wide Rights. Full Admin is not necessary.
Perhaps an alternative might be to use the connect webhook system, and then track statistics as your app receives each notification message about changes to the users' envelopes.

Should user accounts be disabled if Facebook is the only login method

I've read about security best practices saying that inactive user accounts should be disabled and even deleted to avoid security issues like unauthorized use. I can see that being true for regular username and password authentication sites, however my application was built to work only with Facebook groups and as such the only way to login or create a new account is to use the Facebook login.
The argument can be said that someone malicious could take control of one of my users' Facebook accounts and then use it access my application. Although that is true if they have control of a Facebook account my application would never know it's a malicious person so I don't see that as a valid criteria to use in determining if the account should be disabled.
Furthermore if a user is inactive and wants to become active again since it's Facebook login there really is no reason for them to go through some kind of reactivation process like confirming their email or changing their password.
I must be missing something here because it's certainly mentioned as a best practice to disable accounts but since my only login method is Facebook (OAuth) I can't come up with a valid reason to disable/delete inactive accounts.
Regarding other methods of unauthorized access I have security measures in place so I'd like to keep the answers relevant to the login method.
Please enlighten me if I've missed something.
If you have decided that your application needs to use Facebook authentication, then your system's identities will only be as traceable as Facebook's identity management permits. (And don't expect Facebook to help you by disabling / blocking users at their end ...)
You need to design it accordingly:
Don't make any assumptions that users will behave properly.
Don't rely on login controls to keep out malicious users.
Put in your own (sufficient) defenses against malicious behavior into your own system.
You are correct that disabling an account in your system won't achieve much if you also allow the user to (easily) reenable it. Given that it is easy to create (effectively) untraceable Facebook accounts, the chances are that a typical malicious actor will not just rely on old accounts. They may use a brand new account and connect from an IP address that you have never seen.
There are some things that you could do though. For example, implement mechanisms to do the following:
Make sure that users simply cannot upload dangerous content (e.g. files with trojans, web content with dangerous links or scripts.
Allow administrative locking an existing account or OAuth identity,
Allow blocking of creation of accounts or access in from specified IP addresses or ranges,
Keep an audit trail so that you can watch the history of user behavior.

Obtaining Instagram Access Token

We have a client who has a simple Instagram feature on the site to pull photos by a certain tag. They just noticed it isn't working. Getting an error - invalid access token. I guess since the 1st because of the updates. We didn't used to need an access token since we're not doing anything with users - just tags.
Now it looks like we need one and the documentation makes zero sense on how to obtain one. And it seems like they're not accepting most apps. The app is in sandbox mode too. So I'm assuming it's because it got switched to that? Got no notification of this happening.
The first step in documentation to get an access token is "Direct the user to our authorization url." What does that even mean? There's not a link provided or anything. It also says "Company Name, Contact Email and Privacy Policy URL are required to start a submission." Our app doesn't have a privacy policy... it's just a simple tag feed. I don't understand why everything is so complex to have a simple tag feed.
Is there a wait time to get the app approved..if it gets approved... Do I have to have it approved before getting an access token? This isn't outlined anywhere.
You got it right. As of June 2016 any Instagram API calls require an access token.
Getting an access token is described in the documentation. App approval is not required.
There are two ways to get one: server-side or client-side. The second option (called implicit authentication) can only be used when implicit OAuth is enabled in the client settings (Manage Clients > Edit Client > Security > Disable implicit OAuth). It is disabled by default.
In either case you need to redirect the user to the authorization URL to obtain an access token.
The URL for explicit mode (server side) is:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
The URL for implicit mode (client side) is:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token
After this you will be redirected to the REDIRECT-URI, which will be passed an argument. For explicit mode this will be a query string with a code, while for implicit mode you will get the access token directly as a hash:
http://your-redirect-uri?code=CODE
http://your-redirect-uri#access_token=ACCESS-TOKEN
For implicit mode you can then get the access token from the window.location.hash in Javascript.
For explicit mode, however, you need to further process the code to obtain the access token. You can read how this can be done in the API Documentation. I'm not going to take this any further here.
The problem is that every user who wants to see your feed needs to login to Instagram (and have an account) in order to view it. In your case this might not be desired. However, there are a few options to get around this (rather annoying) problem:
You can reuse your own (already obtained) access token(s) to display the Instagram feed for every user. You will need to be aware of rate limits for each token. For sandboxed apps this is 500 API calls / hour, while live mode allows 5000 API calls / hour. [source] You could store tokens in a table and use them in a round-robin manner, to allow more API calls. This involves manually obtaining a bunch of tokens which your application can use (the more the better). This might not be the ideal solution considering Instagram doesn't warrant access tokens to have an unlimited lifetime.
You can retreive JSON data without authentication by appending /media/ to a user page URL, as described in this post. No tokens or client IDs are required for this to work. However, this only works for users, not for tags. Besides, Instagram doesn't document this feature so it is not garanteed to work in the future.
You can use an aggregator like Juicer or Dialogfeed instead which will handle access tokens for you. This is usually not free of charge.
I'm also in the process of making an Instagram feed for my website, and this is what I concluded from my research. Please bare with any errors I made.
Edit: Here are some more limitations for sandbox apps.
In sandbox mode you can only access data from sandbox users (thus users who received a sandbox invite). This means that:
Media retreived by user, e.g. /users/{user-id}/media/recent, will return an empty response if the user is not any of the sandbox users.
Media retreived by tag, e.g. /tags/{tag-name}/media/recent, will only contain tagged media belonging to sandbox users.
Thus, for a tag feed to work, it needs to be live (reviewed and approved). If you don't want to do this, the only alternative is to use an aggregator as I mentioned above.

How do I access data for all of my students?

I'm making an app that authenticates a coach with KA's API, in order to present statistics and reports on the progress of each student.
How do I see "For whom am I a coach" (inverse of /api/v1/user.coaches)?
or otherwise request user and progress data for all my students?
You can request /api/v1/user/students to get a list of the currently authenticated users' students. Note that this is an undocumented endpoint, not sure if that's on purpose or not, but I suspect just an oversight because IIRC I've seen them reference it on github issues in the past.
I added that endpoint to the khan npm module in this PR: https://github.com/weo-edu/khan/pull/4
An important caveat to note is that as of this writing, you won't be able to request students on behalf of a user who has authenticated your application, only the user who created the app you're currently using.
Put another way: If I create an application called "hello" while logged in as "Jeffrey", I can get all of Jeffrey's students by authenticating with the "hello" app. However, If I log in as Lisa via the "hello" app (via oauth, e.g. passport-khan), I'll have an access token but the Khan API will refuse my request because Lisa did not create the "hello" app.
This behavior is documented (albeit a bit confusingly) in this wiki page, here's the relevant paragraph:
It is recommended that schools have one teacher/coach account that registers for an API key. This enables a situation where the logged-in user is the same as the third-party developer, who then can access their own students' data pursuant to Khan Academy's "coach" relationship. For example, suppose the principal of Riverdale High wished to export data for multiple students via the API. The principal would create a teacher/coach account, perhaps called "RiverdaleHighAPI," and register for an API key. The principal would then ask all students of Riverdale High to add "RiverdaleHighAPI" as a coach, either directly or via several class codes. When accessing the API with "RiverdaleHighAPI" as the logged in user, the principal would be able to access the data for all students that have added "RiverdaleHighAPI" as a coach. The app would not have access to any other coaches' student data, even if another coach logged in through the app. To protect student privacy, we do not allow indirect consent through the coach, and we require each student to explicitly grant permission to access their data. Please note that we are working to improve this functionality; for the time being, this "RiverdaleHighAPI" account should only be used by the school's API client, not by any actual teacher or coach.
Lastly, khan actually encourages public use of their internal API. They recommend opening up your developer console while logged in to khan and looking for the endpoints that return the data you want. (see this note on their authentication document).
This is obviously a fairly non-standard practice and I assume the endpoints would be subject to breaking changes without warning. Also you'll be flying documentation free. That said, this approach may be the most robust option for your purposes. Here's the quote from their wiki for posterity:
The API explorer documents our public API, which has URLs starting with /api/v1, but unfortunately it's not very well-maintained and lacking in a few areas.
If you're feeling adventurous, though, you're welcome to use any internal undocumented API endpoints. For example, if you load a Khan Academy video page and use your browser's developer tools to look at the ajax requests being sent, you'll see that it gets a URL like /api/internal/videos/aubZU0iWtgI/transcript, which contains a JSON response with the video subtitles. That "internal" in the name means that we don't provide documentation, and we may remove the endpoint or change the format in the future, but you're welcome to use any internal endpoints if you keep those caveats in mind.

Resources