4

I am writing a Chrome App and I want to use the Google Drive API to let my users read/write files to their own Google Drive.

I have found info suggesting that the only way to go through the OAuth flows from a Chrome App is to use a webview (see this previous StackOverflow question Google Drive Realtime API in a Chrome Packaged App).

This restriction makes sense to me because to go through an OAuth flow you have to load external content, and keeping this isolated from the privileged Chrome App code sounds important from a security perspective.

But once you have the OAuth access token, it seems like the JavaScript from the Chrome App should be able to make requests to the Google Drive API directly. This isn't loading any content (ie. HTML or JS) into the browser, it's just calling a remote API to read/write data.

But it appears that the only supported way to use the Google JavaScript API is to load it remotely, using code like this:

<script src="https://apis.google.com/js/client.js"></script>

This won't work because the Chrome App isn't allowed to load remote content.

And my idea of just downloading that client.js and dropping it in my local Chrome App directory doesn't work, because client.js seems to assume that it can continue downloading/executing more JavaScript as necessary.

So basically, from what I can tell, the Google JavaScript API appears to be hostile to being downloaded ahead-of-time and run from local files only. Does that sound accurate? If so, the only way for the app to get remote data from the API is to pass messages between the webview and the main app, which sounds like a huge pain.

Any solution to this? Or do I have to tunnel all data to/from the API through a webview? :(

Community
  • 1
  • 1
Josh Haberman
  • 4,170
  • 1
  • 22
  • 43
  • What happens if you try something like this? http://stackoverflow.com/a/8578840/1112669 – ecnepsnai Jul 03 '14 at 05:29
  • "Refused to load the script 'http://www.google-analytics.com/ga.js' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback." Clever idea though! – Josh Haberman Jul 03 '14 at 05:32
  • Okay, what about this? http://stackoverflow.com/a/8861191/1112669 – ecnepsnai Jul 03 '14 at 05:33
  • "There were warnings when trying to install this extension: 'content_scripts' is only allowed for extensions and legacy packaged apps, but this is a packaged app." – Josh Haberman Jul 03 '14 at 05:36

1 Answers1

0

Use the identity API, specifically chrome.identity.getAuthToken to get authorization. It encapsulates the OAuth work. Then, once authorized, use Ajax to execute specific APIs (e.g., to a URL like https://www.googleapis.com/METHOD where METHOD is the method.)

In other words, you can access Google APIs directly, without dealing with the complexity of OAuth and certainly without horsing around with a webview.

In your manifest.json, you'll need stuff like this:

"permissions": [
    "identity"
],
"oauth2": {
    "client_id": "....apps.googleusercontent.com",
    "scopes": [
        "https://www.googleapis.com/auth/drive"
    ]
}
Marc Rochkind
  • 3,678
  • 3
  • 30
  • 38
  • Thanks for the getAuthToken tip. That will help avoid using a webview for the auth step. But my question was more about how to access the API *post*-auth. All the code samples use the Google JavaScript API client, and code like gapi.client.drive.files.get(). But the client library that provides that API doesn't seem to be easy or possible to download. That's what my question is about, not the auth step. – Josh Haberman Jul 06 '14 at 06:01
  • I recognize that I could make all of the REST requests manually, but I was hoping to use a higher-level client library that would make it look like function calls instead of having to build the request manually, put the auth token in the right place, etc. – Josh Haberman Jul 06 '14 at 06:09
  • I use a simple interface that gives me access to the APIs. It takes the name of the method (which becomes part of the URL path) and the parameters as arguments. – Marc Rochkind Jul 08 '14 at 13:27
  • @JoshHaberman I am currently building a Chrome Identity Javascript client library for the Google Sheets API with hopes of adding support for others down the road :) – Ruby_Pry May 15 '15 at 20:58