All geek questions in one place

Security in google apps script public HTMLService with new Utilities.getUuid () for each request

The first stackoverflow question in my life!

I come from the built-in world of programming, and I have very superficial knowledge of Internet security. I created the platform using Google script applications . All data is stored in data tables. Everything works great. I quickly came up with this authentication scheme, and frankly, I’m sure that it should not be protected! Definitely, I'm missing something! Here is my process:

  • When visiting the url (the url by e-mail is a small community, and it does not need a domain for this), the user is presented with a login form generated using HTMLService (doGet).
  • The form submits data (doPost), and the username and password are checked for values ​​in the spreadsheet (TODO: password hashing in the future).
  • In the event of a match, a UUID string is generated when Utilities.getUUID () is called. This row is stored in a spreadsheet.
  • The script then creates and returns the jQuery Mobile website with HTMLService . All pages are served immediately because they use jQm page navigation.

Here is the service call:

var addedContent = '<script>var session={sessionId="UUID"}</script>';
return HtmlService.createTemplateFromFile... ...addedContent(addedContent);

I am using the .addedContent () call to add a UUID string as a javascript variable that was created using Utilities.getUuid () upon successful login.

  1. google.script.run. , :
    • , ,
    • ,
    • UUID .
  2. UUID , , UUID .
  3. - - UUID :

, google.script.run async:

function get_user(username){
  ...
  var session = {username: username, sessionId: lastUUID};
  // don't confuse the two username properties.
  // the username for the authentication is inside the session object.
  // the property 'username' of the data object is for the getUser function
  // which will be called in the server script. Also the "getUser" is not
  // the actual function name either: it will be switched with the real one.
  var data = {
    auth: session,
    action: "getUser",
    username: username
  };
  ...
  google.script.run
    .withSuccessHandler(get_user_success) 
    .withFailureHandler(get_user_failure)
    .switchboard(data);`
}

:

function switchboard(data){
  var result = {sessionId: false};
  var action = data["action"];
  //
  var auth = authenticate(data["auth"]);
  // authenticate returns the new uuid string upon match or
  // deletes previous uuid and returns false
  if (auth == false) return result;
  switch(action){
    ...
    case 'getUser': response = the_real_function_name(data); break;
    ...
  }
  result = { sessionId: auth, response: response };
  return result;
  // so, what the page gets back is and object with the new uuid string
  // for the next call, and the actual requested data
}

:

function get_user_success(data){
  // data = {sessionId: "uuidstring", data: obj}
  sessionId = data["sessionId"] // new uuid string for subsequent calls
  ...
  $("some#element").val(data["data"]["address"]);
}
  1. - UUID , , .

, ( , !), , url. API- google facebook, . HTTPS ? ?

P.S. , , , : Google script - , - - GAS .

+4

:

Source: https://habr.com/ru/post/1695677/

More articles:


All Articles