4

Having a similar constellation as in ScriptDb in Library accessed by WebApp, and also the answer given there applies to this question too:
When a published WebApp ( accessible by everybody and running as the accessing user) is using a Library, then this library needs to be shared to the public (to people having the link), otherwise there is the error
"You do not have access to library ..., used by your script, or it has been deleted."

So that means, that everybody having the link to my library can see all that precious source-code. The question is now, can somebody guess that link, which looks like

 https://script.google.com/a/macros/..../d/Mmov_2Lg8BnmygsjmTBZMqKFZSw7a2n3o/edit?template=default

or is this link neither contained in the web-content delivered to the one using the WebApp nor can it be derived easily from a (guessed) name of the library? That would be the case, if that string in the above link starting with Mmov_2Lg8B somehow is an encoded name and version-number of the library, and the algorithm works in both directions.
To summarize: The source code of a published WebApp is not visible to the user, but all libraries used by that App can be seen by everybody having the link to them. Is this link easily guessable? Or is there even a completely different way to keep the source-code of libraries private?

Community
  • 1
  • 1
pbhd
  • 4,384
  • 1
  • 20
  • 26

3 Answers3

4

I initially thought the library key could be seen by inspecting the webapp, but that is not possible. So, you indeed need to share your library to "anyone with the link", but as long as you do not announce this link anywhere, one will not be able to find it just by using your web app.

Henrique G. Abreu
  • 17,406
  • 3
  • 56
  • 65
3

See the comments on Henrique's answer - the library url is not guessable and is not in the webapp.

Corey G
  • 7,754
  • 1
  • 28
  • 28
  • Thats a definite answer! So that String identifying the library (and also used when referencing it as library inside a project) is nowhere in the dom on the client, and this id is composed ina cryptographically accepted save way like a strong oneway hash?! – pbhd Dec 06 '12 at 16:43
  • 2
    The id is not on the client. I won't comment on how the key is generated, but it should be considered unguessable. – Corey G Dec 06 '12 at 17:11
  • Hmpf. You know how its generated but you dont want to talk about it? That makes me curious. Why can't you say spmething like: Its generated via SHA-2 using the blabla as seed, and Mossad is using the same algorithm on its top secret things. – pbhd Dec 06 '12 at 17:27
  • 3
    I don't like giving clues, even if they appear harmless. – Corey G Dec 06 '12 at 17:36
1

If anybody debug the public code in script editor and goes on pressing STEP IN then eventually he will reach at the library code. So you can not hide the library code in any way.

Hari Das
  • 10,145
  • 7
  • 62
  • 59
  • Only editors and viewers of the Google Apps Script project could debug the code, non-editors/viewers can do this, as other people could run the webapp not everybody is able to see the library code. – Rubén Jan 03 '18 at 18:30