5

I have two Google Apps Scripts in my Google Apps account. Both have been published as webapps with the following settings.

Script A:

Execute as me
Who has access to the web app:Anyone within XXXXXXX.com

Script B:

Execute as the user accessing the app
Who has access to the web app:Anyone within XXXXXXX.com

I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?

Note:

Script A is being used to get\write data from\to a spreadsheet that only I have access. Since my Google Apps domain administrator does not allow sharing outside the domain, I can not set anonymous access to the web app.

kiwidrew
  • 3,063
  • 1
  • 16
  • 23
WebHoundX
  • 153
  • 1
  • 6

2 Answers2

2

I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?

Even though Script A is set up to allow anyone to access it, our goal is to secure it so that only Script B will be able to make a valid request. This can easily be accomplished using a shared secret key that both Script A and Script B have access to. When Script B makes the request to Script A, it simply needs to include the secret key. Script A can refuse any request which does not include the secret key.

Only someone who is able to view the source code to either Script A or Script B will be able to find the secret key. Of course, anyone who obtains the secret key is able to impersonate Script B.

As a further enhancement, you could use the Utilities.computeHmacSha256Signature() method as a way to avoid sending the secret key as part of the request. Both scripts still need to know the secret key, but you can have Script B compute a signature and send that as part of the request instead of the secret key itself.

kiwidrew
  • 3,063
  • 1
  • 16
  • 23
1

Without the anonymous access its not possible. You might be able to pretend you are a browser, ie see what your browser sends when you run the webapp and send the same header/cookie etc but its not really a supported way.

Zig Mandel
  • 19,571
  • 5
  • 26
  • 36
  • Thanks for the insight Zig. Is there another way that I can achieve my goal? I'm trying to allow some users in my domain to read\write some information from a spreadsheet that only I have access. Purpose of Script B is to collect user's email address – WebHoundX May 20 '14 at 16:17
  • There are ways but with security issues or other problems. The idea is to have script A run on a 1minute timer and check if theres stuff to append to your ss. By stuff I mean something like another 'queue' spreadsheet shared with the team. Drawback is that users csn see and modify the queue if they are curious. To solve that you can store the queue somewhere else but note that scriptDb is deprecated. – Zig Mandel May 20 '14 at 18:04
  • You can also do a manual call (with urlfetch and http drive api) to the drive api using a hardcoded token. make sure the users cant see the script. – Zig Mandel May 20 '14 at 18:07
  • I'm interested in the second method you have mentioned. Do I have to use drive api to write to the Spreadsheet? – WebHoundX May 21 '14 at 08:08