(core) Extending Google Drive integration scope

Summary: New environmental variable GOOGLE_DRIVE_SCOPE that modifies the scope requested for Google Drive integration. For prod it has value https://www.googleapis.com/auth/drive.file which leaves current behavior (Grist is allowed only to access public files and for private files - it fallbacks to Picker). For staging it has value https://www.googleapis.com/auth/drive.readonly which allows Grist to access all private files, and fallbacks to Picker only when the file is neither public nor private). Default value is https://www.googleapis.com/auth/drive.file Test Plan: manual and existing tests Reviewers: dsagal Reviewed By: dsagal Subscribers: dsagal Differential Revision: https://phab.getgrist.com/D3038
2026-03-02 04:09:24 +00:00 · 2021-09-30 10:19:22 +02:00
parent a0c53f2b61
commit 42910cb8f7
13 changed files with 302 additions and 131 deletions
--- a/app/server/lib/GoogleAuth.ts
+++ b/app/server/lib/GoogleAuth.ts
@@ -16,6 +16,8 @@ import {URL} from 'url';
 *                          the same client id is used in Google Drive Plugin
 * - GOOGLE_CLIENT_SECRET:  secret key for Google Project, can't be shared - it is used to (d)encrypt
 *                          data that we obtain from Google Auth Service (all done in the api)
+ * - GOOGLE_DRIVE_SCOPE:    scope requested for the Google drive integration (defaults to drive.file which allows
+ *                          to create files and get files via Google Drive Picker)
 *
 * High level description:
 *
@@ -55,13 +57,9 @@ import {URL} from 'url';
 * in a query string.
 */

-
 // Path for the auth endpoint.
 const authHandlerPath = "/auth/google";

-// "View and manage Google Drive files and folders that you have opened or created with this app.""
-export const DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive.file';
-
 // Redirect host after the Google Auth login form is completed. This reuses the same domain name
 // as for Cognito login.
 const AUTH_SUBDOMAIN = process.env.GRIST_ID_PREFIX ? `docs-${process.env.GRIST_ID_PREFIX}` : 'docs';
@@ -97,7 +95,7 @@ export async function googleAuthTokenMiddleware(
    throw new ApiError("Google Auth endpoint requires a code parameter in the query string", 400);
  } else {
    try {
-      const oAuth2Client = _googleAuthClient();
+      const oAuth2Client = getGoogleAuth();
      // Decrypt code that was send back from Google Auth service. Uses GOOGLE_CLIENT_SECRET key.
      const tokenResponse = await oAuth2Client.getToken(stringParam(req.query.code));
      // Get the access token (access token will be present in a default request configuration).
@@ -150,8 +148,8 @@ export function addGoogleAuthEndpoint(
        throw new ApiError("Error authenticating with Google", 500);
      }
    } else {
-      const oAuth2Client = _googleAuthClient();
-      const scope = optStringParam(req.query.scope) || DRIVE_SCOPE;
+      const oAuth2Client = getGoogleAuth();
+      const scope = stringParam(req.query.scope);
      // Create url for origin parameter for a popup window.
      const origin = getOriginUrl(req);
      const authUrl = oAuth2Client.generateAuthUrl({
@@ -172,7 +170,7 @@ export function addGoogleAuthEndpoint(
 /**
 * Builds the OAuth2 Google client.
 */
-function _googleAuthClient() {
+export function getGoogleAuth() {
  const CLIENT_ID = process.env.GOOGLE_CLIENT_ID;
  const CLIENT_SECRET = process.env.GOOGLE_CLIENT_SECRET;
  const oAuth2Client = new auth.OAuth2(CLIENT_ID, CLIENT_SECRET, getFullAuthEndpointUrl());