0

When an application uses the Drive Realtime API in conjunction with a user's file stored in Drive, it gets access to the realtime collaborative model which is associated with that file. It has been documented in both the official reference material [1] and in a previous answer here on StackOverflow [2] that when two different applications [3] use the Realtime API with the same Drive file, they will be accessing different collaborative models.

Let's assume that I have a server-side application with a client_secret and the user's OAuth refresh_token stored on a server that only I can access, and that the user's access_token only leaves that server when making direct calls (over HTTPS) to various Google APIs. Consider the case where my application has used the realtime.get and realtime.update methods of the Drive API to keep some sensitive data in the collaborative model of the user's Drive file, such as an encryption key or a long-lived OAuth refresh_token for a third-party service.

Is this sensitive data safe from disclosure to another application, even when that application also uses the Realtime API on the same file?

I don't think any other application could impersonate my application, since they wouldn't have access to my client_secret and wouldn't have a chance to intercept either the refresh_token or the user's access_token that is associated with my app.

Bonus question: Can the user bypass my application and gain access to this sensitive data?

I can't see a way for the user to impersonate my application. The user can use my application's public client_id and grant himself permission through the normal OAuth flow, but would have no way to exchange the resultant code for a valid access_token without knowing the client_secret.

  1. "Models are isolated by application. If a user opens the same file with two different collaborative apps, separate documents are created." Using Collaborative Models with Existing File Types
  2. "When you create a doc in the realtime playground, it is owned by the realtime playground app. When you try to then get the response in the try-it feature, it uses an app specific to try-it which can't see the realtime model you created." Official answer to question "How to work with Realtime get and update api requests?"
  3. That is, when the applications use different client_id values to obtain OAuth credentials for the user.
Community
  • 1
  • 1
kiwidrew
  • 3,063
  • 1
  • 16
  • 23

1 Answers1

0

The realtime models for different applications are isolated as you describe, but you should assume that anything in the model is theoretically readable by any user on the ACL.

If the user has authorized your application, they can theoretically grab the oauth token used to make requests since it needs to be sent from their computer along with the requests.

Additionally, if you ever load the document its available in the browser in its entirety, regardless of what parts of it you display.

Cheryl Simon
  • 46,552
  • 15
  • 93
  • 82
  • Yes, I understand that my application's OAuth token is available to the user when loading the model in the browser using the client-side Realtime API. But if I only use the get/update methods (for importing & exporting the realtime model) from my server, and never expose the OAuth token to the end user... then in those circumstances the user could never get access to the realtime model, correct? – kiwidrew Nov 15 '15 at 04:01