google-apps-scriptcsrfcsrf-protection

Google App Script request validation on server


I am developing an add-on for Google Docs and I want to make POST request to my web server from add-on. I have already done that, but how should I validate on server-side that the request is coming from my add-on only? Is there csrf like mechanism in Google App Script? If not, any workaround to it?


Solution

  • There is a direct method in Apps Script to get UUID : Utilities.getUuid()

    Reference : https://developers.google.com/apps-script/reference/utilities/utilities#getuuid

    For memory previous answer below.


    There is not mechanism for that but the best way is to add in the post request a specific key. Like API key in Google, example : 94e631ba-9916-4490-a084-cde08dcc0757

    For generating a key example here : https://codepen.io/corenominal/pen/rxOmMJ Adapted code below :

    function generateUUID()
    {
        var d = new Date().getTime();
        
        var uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c)
        {
            var r = (d + Math.random()*16)%16 | 0;
            d = Math.floor(d/16);
            return (c=='x' ? r : (r&0x3|0x8)).toString(16);
        });
    
    return uuid;
    }
    

    Then on your server your check this value. If API Key is valid you perform the request if not you return a 403.

    If you want you can implement an OAuth flow to connect to your server like Google do for its API but from my point of view it is faster to use an API key. If you combine 2 key like the one above probability to find it is near 0.

    Stéphane