Google Apps Script Web App URLs – Are They Secret?

google-apps-script

I want to use a Google Apps Script web app to download data from a specific Google Forms. In order to avoid having to login to get the data, I want to specify that the web app runs as me, and is accessible from anonymous users.

If I then keep the URL of that web app to myself (except for using it to get the data through the HTTPS request), is it reasonable to assume that nobody else can use it?

In other words, is there enough randomness in the script's URL to make it safe to use for accessing private data?

_{I want to use this script in a program, but I don't want to figure out how to login programmatically.}

Best Answer

As the post linked by Rubén calculates, there is plenty of entropy in the URL of a GAS web app. That post considers document Id, which has 44 characters; by my count, web app URLs have 54-55 random characters. You certainly don't have to worry about brute force attack.

The weak spot is you or your program leaking the URL in some way. This is somewhat troublesome because if you suspect a leak, you can't change the URL easily the way we change passwords. To guard against that scenario, you may want to generate a token for your program to send with its GET or POST request to the app. The app would do something like

doGet(e) {
  if (e.parameter.token == "valid_token") {
    return information;
  }
}

Related Solutions

Google-sheets – Enabling script to run as author in a shared Google spreadsheet

Scripts are run as the user who is viewing the spreadsheet, unless they are published as web applications, in which case you can choose to run the script as the spreadsheet owner.

So, in order to let your anonymous users modify the spreadsheet via a script, you need to give them edit rights, or publish your scripts as a web application, and instruct your users to visit the web application.

Google-sheets – Create a function to copy range (values only) to a new tab at specified intervals

I wasn't quite sure what you meant by Range as an input to your custom function. Is this the source range or destination range?

Anyways, this is something that should hopefully get you started. There is no timer element, nor is it a custom function. But can be converted to one easily.

The manual timer element can be achieved by adding a trigger. In script editor, go to resources, current project triggers. You can attach a script to a date trigger of your choosing.

function backup(){
/* Edit the vars below this line for your needs */
var sourceSheet  = "Sheet2" ;  // Enter the name of the sheet with the source data
var sourceRange = "A1:B20" ; // Enter the range of the cells with the source data
var targetSheet = "Sheet3" ; // Enter the name of the target sheet  
var targetRange = "A2:B21" ; // Enter the range of cells you wish to copy data to. Note this must be same size as source range.
/* No need to edit below this point */  


var ss = SpreadsheetApp.getActiveSpreadsheet();
var sheet = ss.getSheetByName(sourceSheet);
var values = sheet.getRange(sourceRange).getValues();
ss.getSheetByName(targetSheet).getRange(targetRange).setValues(values);

}

Best Answer

Related Solutions

Google-sheets – Enabling script to run as author in a shared Google spreadsheet

Google-sheets – Create a function to copy range (values only) to a new tab at specified intervals

Related Topic