Authenticate Google Drive upload without logging in

Question

need your help on uploading a zip file to google drive without authenticating it manually using my browser so that I can schedule the backup automatically.

My authentication and uploading code is as follows :

    $client = new Google_Client();
    $client->setClientId('clientid');
     $client->setClientSecret('clientsecret');
     $client->setAccessType("offline");


$client->setRedirectUri('http://localhost:60/pathtofile.php');
$client->setScopes(array('https://www.googleapis.com/auth/drive.file'));

session_start();

if (isset($_GET['code']) || (isset($_SESSION['access_token']) && $_SESSION['access_token'])) {
    if (isset($_GET['code'])) {
        $client->authenticate($_GET['code']);
        $_SESSION['access_token'] = $client->getAccessToken();
    } else
        $client->setAccessToken($_SESSION['access_token']);

    $service = new Google_Service_Drive($client);

    //Insert a file
    $file = new Google_Service_Drive_DriveFile();
    //$file->setName(uniqid().'.zip');
    $file->setName($zipName . '.zip');
    $file->setDescription('Testing document ZIP backups');
    $file->setMimeType('application/zip');

    $data = file_get_contents($zipPath = $publicPath . '\\removedorgname\\backups\\' . $zipName . '.zip');

    $createdFile = $service->files->create($file, array(
          'data' => $data,
          'mimeType' => 'application/zip',
          'uploadType' => 'multipart'
        ));

    print_r($createdFile);

} else {
    $authUrl = $client->createAuthUrl();
    header('Location: ' . $authUrl);
    exit();
}

The problem i'm facing is that it asks me to manually sign in to the google account. I have researched this concept of a refresh token but don't understand how to implement it.

this is non-sense. better use a service account to act on your behalf. — Martin Zeitler, Sep 06 '18 at 11:30
You dont need to set up a service account , it is possible to authorise using a refreshtoken . Anyways , I have found the solution to my problem which I will post below in-case others need it. — HP., Sep 06 '18 at 11:56
Can someone explain to me what would be the negatives of doing it this way as opposed to a service account? — HP., Sep 06 '18 at 11:57
you might a) have to interact manually (contrary to the stated requirements) or b) would expose your backup (as you stated in the requirements) to the public, in case uploading to a public directory. — Martin Zeitler, Sep 06 '18 at 11:58
Hi Martin , although before I had to sign in manually now google automatically gets the access token from the refresh token and authenticates. How is my backup exposed to the public? , is it because im storing it in a public path because that is only for testing purposes and when live I will store the backup zip files and this code in a private folder on the server. — HP., Sep 06 '18 at 12:18
the only risk is of your Refresh Token is revealed. Provided you keep the RT private, there is no security risk. — pinoyyid, Sep 06 '18 at 19:15
Thanks pinoyyid , yes I will keep the refresh token in a private folder and refer to it when required . — HP., Sep 07 '18 at 07:17

score 0 · Answer 1 · answered Sep 06 '18 at 12:13

I think I've found the solution to my issue , is this correct or incorrect?

Login when google prompts you to do so ( Only for the first time )

Now that you have the access token ( Which will expire ) you need to refreshtoken.

  $_SESSION['access_token'] = $client->getAccessToken();

    $token = $client->getAccessToken();
    var_dump($token;)

You need to var_dump the access token which will give you a refresh code.

Then once I had the refresh code I used this bit of code to check if the access token was expired and if it was to use the refreshtoken to fetch the access token.

if ($client->isAccessTokenExpired()) {

     $client->fetchAccessTokenWithRefreshToken('removedtoken');

 }

I still need to extract the new refresh token from this access token and save the refresh token somewhere for when this access token expires.

assuming that you requested offline access, then you are correct that the token object will contain a refresh token which you can store securely and use to request an access token without being logged in. — pinoyyid, Sep 06 '18 at 19:14

Authenticate Google Drive upload without logging in

1 Answers1