Is it possible to use multiple authentications in a Google Apps Script web-app?

Question

I know how to write a web-app and publish it as myself. What I am trying to do is publish a web app so that it can access both my data and the users data.

For example, the web-app would read data from a Sheet that I own, and then add it to a Sheet the user owns.

I realize one approach is to make my sheet accessible by anyone with the link and have the web-app run in the user's context. When the user views the web-app it will run in the user's context so it can access their Sheet and Since my sheet is viewable by anyone with a link it will be able to access my Sheet.

However, I am trying to do this without making my sheet accessible by anyone with a link.

Is this possible?

Answer 1

Workaround#1: Two web apps

Use two web apps and handle authentication between those two:

• WebApp#1: API to access your sheet

  • Execute as "Me"
  • Access: "Anyone, even anonymous"
  • Handles incoming POST requests: checks for necessary authorizations, authenticates the request and returns data from sheet.

• WebApp#2: User facing app

  • Execute as "User accessing the web app"
  • Access: "Anyone"
  • User requests data from your sheet> Client requests Server(google.script.run)> Server POSTs request along with necessary authorization headers using UrlFetchApp> receives and parses the sheet data and provides it to client.

• Notes:

  • This set up security is only as strong as the authorization/authentication used between the web-apps.

Workaround#2: Client side Google sign in

• Implement Google signin in your webapp.

  • Execute as "Me"
  • Access: "Anyone, even anonymous"
  • Users accessing the web-app must sign in
  • After signing in and authorizing access to their sheets, you can use sheets api to write to their sheet

• References:

  • Google sign-in
  • Sample snippet: Sheets api access from browser
  • Related question