2

I am developing an add-on for Google Docs and I want to make POST request to my web server from add-on. I have already done that, but how should I validate on server-side that the request is coming from my add-on only? Is there csrf like mechanism in Google App Script? If not, any workaround to it?

Rubén
  • 34,714
  • 9
  • 70
  • 166
aaryan
  • 2,229
  • 2
  • 10
  • 15

1 Answers1

0

There is a direct method in Apps Script to get UUID : Utilities.getUuid()

Reference : https://developers.google.com/apps-script/reference/utilities/utilities#getuuid

For memory previous answer below.

There is not mechanism for that but the best way is to add in the post request a specific key. Like API key in Google, example : 94e631ba-9916-4490-a084-cde08dcc0757

For generating a key example here : https://codepen.io/corenominal/pen/rxOmMJ Adapted code below :

function generateUUID()
{
    var d = new Date().getTime();
    
    var uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c)
    {
        var r = (d + Math.random()*16)%16 | 0;
        d = Math.floor(d/16);
        return (c=='x' ? r : (r&0x3|0x8)).toString(16);
    });

return uuid;
}

Then on your server your check this value. If API Key is valid you perform the request if not you return a 403.

If you want you can implement an OAuth flow to connect to your server like Google do for its API but from my point of view it is faster to use an API key. If you combine 2 key like the one above probability to find it is near 0.

Stéphane

St3ph
  • 2,232
  • 17
  • 17
  • You are generating this API key on the client side. Then how will server know it beforehand, so that it can verify it? – aaryan Jan 22 '18 at 17:24
  • 1
    The script is just an example of code to generate a complex id. You use this code to generate your API Key and you hard code the key in the backend of app script. – St3ph Jan 23 '18 at 10:23
  • what's the point of the line d = Math.floor(d/16);? – heroicadventures Jun 07 '22 at 09:29
  • This answer is a bit old there is now a method in Apps Script to generate an UUID : Utilities.getUuid() https://developers.google.com/apps-script/reference/utilities/utilities#getuuid – St3ph Jun 08 '22 at 13:01