0

I have a script that retrieves a webhook (meaning it has to be deployed as a publicly accessible App), and then uses an API to send a message.
The API requires using a key and secret, which I obviously don't want accessible to the public.

Q1: Is there a way to hide an API key/secret in another script and somehow have it accessible?
(Or any other similar solution - doesn't have to be fancy, just functional/safe).

Alternate Question:
Q2: What can a stranger actually see in my public Apps Script project? The full code? If I hide keys in a functions with an underscore ie. function name_(){}, can they read it?

IMPORTANT INFO: I have not 'shared' the project or spreadsheets with anyone, they're still private. But I've 'deployed' the Web App with permissions for 'anyone'. I assume that means anyone can access?

TheMaster
  • 45,448
  • 6
  • 62
  • 85
JackNapier
  • 318
  • 4
  • 14
  • I have to apologize for my poor English skill. Unfortunately, I cannot understand your situation from `I have a script that retrieves a webhook (meaning it has to be deployed as a publicly accessible App), and then uses an API to send a message.`. Can I ask you about the detail of it? – Tanaike May 28 '22 at 00:26
  • No worries: My Apps Script project recieves a webhook message ("BUY" or "SELL") and uses that on an finance exchange API. The API requires a key and secret ('key="abcd"'). But the project can be accessed by anyone to be able to recieve the webhook. I don't want them to see my key, so I need to have it somewhere outside of the Apps Script project, but still have the project be able to read it. I'm looking into 'PropertiesService' but can't figure out how secure that is. – JackNapier May 28 '22 at 00:38
  • Thank you for replying. About `My Apps Script project recieves a webhook message ("BUY" or "SELL") and uses that on an finance exchange API.`, in your situation, your Google Apps Script retrieves the data from the API using UrlFetchApp with the API key and secret. Is my understanding correct? – Tanaike May 28 '22 at 00:59
  • And, I cannot understand the situation of `But the project can be accessed by anyone to be able to recieve the webhook.`. If you want to retrieve only the data and you want to make users show only the data, how about sharing the Spreadsheet including only the data? But, I'm worried that I might not be able to correctly understand your situation. I apologize for this. – Tanaike May 28 '22 at 00:59
  • To explain it simpler - let's forget about the webhook's and API's. Let's say I have an apps script project, that is deployed as a public app. I want a variable in the project to be my last name (let's pretend it's: var lastName = "SMITH"), but I don't want anyone who could view the script (as it's publicly deployed) to be able to see that my last name is "SMITH". That information needs to be somewhere private, outside of the project, but still usable in the script. I'm wanting to know if that's possible. – JackNapier May 28 '22 at 01:12
  • Thank you for replying. From `I have an apps script project, that is deployed as a public app.`, are you using Web Apps created by Google Apps Script? And, the API requests to your Web Apps. And, in your situation, the script of Web Apps is shared with other users. In this case, the user can edit and run the script? – Tanaike May 28 '22 at 01:36
  • Yes it's a web app created by Google Apps Script, deployed for access to "anyone" (the script itself is not 'shared' with anyone). The API request is to a financial trading platform. – JackNapier May 28 '22 at 01:47
  • Thank you for replying. From `a web app created by Google Apps Script, deployed for access to "anyone" (the script itself is not 'shared' with anyone).`, in this case, I think that the script cannot be seen by anyone. By this, even when the value of `var lastName = "SMITH"` is declared in the Google Apps Script, that cannot be seen. But, if you are worried about the security, I would like to recommend using Property of Drive API which is not PropertiesService. When Property of Drive API is used, the value can be stored as private. By this, the value cannot be seen by anyone. – Tanaike May 28 '22 at 01:53
  • Thanks, that makes sense. But I'm not sure what you mean by Drive API? Where is the value stored, and which DriveAPI function retrieves it? – JackNapier May 28 '22 at 01:57
  • When the Drive API is used, the property is stored to the file metadata. In this case, only the Google Apps Script project can see the property. For example, when `PropertiesService.getScriptProperties()` is used, the stored value can be seen at the script editor. – Tanaike May 28 '22 at 02:00
  • Great thank you - I'll look into it. I've accepted the other answer as it clarifies about privacy of the public Web App, but I appreciate your help! – JackNapier May 28 '22 at 02:02
  • Thank you for replying. I'm glad your issue was resolved. Thank you, too. – Tanaike May 28 '22 at 02:03

2 Answers2

1

Everything in the script is visible to whoever has access (script owner, workspace admins, added users). Unless only the url of the webapp is shared and if the script itself is not shared then they are not able to access the script, so technically you can still keep them in your script. It is safe there and only the owner and workspace admins (if it is for Google workspace) can access it.

A way you can store/save the key is by storing it in script properties. Doing this you only need to run the script once to store the API key, moving forward you can remove the API key from the script and it will still run: https://developers.google.com/apps-script/guides/properties#saving_data

Also refer to this post for more information, in my posted answer I have also provided alternatives and reference links: Is it safe to put in secrets inside Google App Script code?

Logan
  • 1,691
  • 1
  • 4
  • 11
  • This sounds interesting, I've already stored the key in the script properties and using: var k = PropertiesService.getScriptProperties().getProperties() to retrieve it. Are you saying that I only need to get it once and can then delete that line? And FYI I haven't 'shared' the script with anyone - but my understanding was that 'deploying' with permissions to 'anyone' made it public (which I don't want), correct? – JackNapier May 28 '22 at 01:49
  • @JackNapier if the script itself is not shared and only the web app then they are not able to access the script, so technically you can still keep them in your script. It is safe there and only the owner and workspace admins (if it is for Google workspace) can access it. – Logan May 28 '22 at 01:55
  • Oh awesome thank you! That's helpful. I'll accept your answer if you wanted to edit that information about it being private in? – JackNapier May 28 '22 at 01:58
  • @JackNapier I've actually stated that in the first paragraph :) but I'll rephrase it to make it clear. Thank you! – Logan May 28 '22 at 02:00
0

My project meet this issue, too. Because the amount of functions is not too much , So i hide my main GAS behind an dummy one . So far I had 2 GAS

  1. the main GAS with key , and all functions , and I deploy it as Web APP Of cause u need doGet or doPost to do as entrance of API
  2. The dummy one to share with users.

Then you can call something like below in dummy GAS

    var url = 'https://script.google.com/macros/s/xxxxxxxxxxx/exec';
    UrlFetchApp.fetch(url,{'method': 'get'});

I hope its useful in your case.

Kodomo
  • 53
  • 4