当有人像我一样运行Google Apps脚本网络应用程序时获取用户信息 [英] Get user info when someone runs Google Apps Script web app as me
问题描述
我有一个独立的Google Apps脚本部署为网络应用程序.该应用程序以我的身份执行,因为我希望它可以访问存储在我的云端硬盘中的文件,并且因为我希望它生成Google表格文件,该文件的某些范围受到用户的保护,因此仍然可以通过脚本进行编辑.但是,我希望将这些文件隔离到文件夹中,并且每个文件夹都分配给一个用户,因此我需要在每次运行该应用程序时知道该用户是谁.
I have a standalone Google Apps Script deployed as a web app. The app is executed as me, because I want it to access files stored on my Drive, and because I want it to generate Google Sheets files that have some ranges protected from the user that are still editable by the script. However, I want these files to be segregated into folders, and each folder is assigned to a user, so I need to know who the user is each time the app runs.
Session.getActiveUser().getEmail()不起作用,因为该Web应用程序是作为我而不是作为用户部署的.我的另一个想法是使该应用对所有人可用,甚至是匿名的"(现在它仅对所有人可用"),以跳过Google的登录屏幕,并使用某种第三方身份验证服务或脚本.构建自己的应用似乎有点过头了,因为它似乎应该已经存在,但是到目前为止,我的研究只发现了Auth0之类的东西,它似乎与我的基于Google Apps Script的简单应用不兼容,否则我就没有足够的经验来解决这个问题如何使用它们.
Session.getActiveUser().getEmail() doesn't work since the web app is deployed as me and not as the user. My other thought was to make the app "available to everyone, even anonymous" (right now it's just "available to everyone") to skip Google's login screen, and use some kind of third-party authentication service or script. Building my own seems like overkill because this seems like it should already exist, but so far my research has only turned up things like Auth0 which seem incompatible with my simple Google Apps Script-based app, or else I'm too inexperienced to figure out how to use them.
有人对如何验证这种Web应用程序的用户有建议吗?最好是随附了对初学者友好的教程或文档?或者,对于我来说,还有另一种方法可以找出谁在运行该应用程序,而仍然自己执行该应用程序?
Does anyone have a suggestion for how to authenticate users for this kind of web app? Preferably something that comes with a beginner-friendly tutorial or documentation? Or, is there another way for me to find out who's running the app while still executing it as myself?
对此我还很陌生,甚至不确定我是否以正确的方式提出了这个问题,因此建议的编辑将不胜感激.
I am so new to this I'm not even sure I'm asking this question in the right way, so suggested edits are taken gratefully.
推荐答案
我可以想到两种方法来解决此问题:部署Web应用程序以在用户访问它时执行该应用程序:
I can think of two ways you might approach this where the Web App is deployed to execute as the user accessing it:
- 方案A: 创建服务帐户访问存储在云端硬盘中的文件并生成Google表格.
- 方案B: 创建一个单独的Apps脚本项目,该项目部署为API可执行文件,并从主Web应用程序调用其功能.
- Scenario A: Create a service-account to access files stored on your Drive and to generate google sheets.
- Scenario B: Create a separate Apps Script project deployed as an API Executable and call its functions from the main Web App.
这些方法是可行的,但是每种方法都有很多优点和缺点.
These methods are viable but there are a number of pros and cons to each.
两者都需要OAuth2身份验证,但是由于 Eric Koleda的OAuth2库,该位相当容易处理.
Both require OAuth2 authentication, but that bit is fairly easy to handle thanks to Eric Koleda's OAuth2 library.
此外,在两种情况下,您都需要将主Apps脚本项目绑定/链接到GCP项目,并启用适当的服务(在您的情况下为Google Sheets和Google Drive API(
Also, in both scenarios, you'll need to bind/link your main Apps Script project to a GCP project and enable the appropriate services, in your case Google Sheets and Google Drive APIs (see documentation for more details).
对于方案A ,必须在同一GCP项目下创建服务帐户.对于方案B ,API可执行文件的辅助Apps脚本项目也必须绑定到同一GCP项目.
For Scenario A, the service account must be created under the same GCP project. For Scenario B, the secondary Apps Script project for the API executable must also be bound to the same GCP project.
您需要与服务帐户共享您要访问/修改(和/或创建内容)的文件和文件夹.该服务帐户拥有自己的电子邮件地址,您可以像使用任何其他Gmail帐户一样共享它的Google驱动器文件/文件夹.
You'll need to share the files and folders you want to access/modify (and/or create content in) with the service account. The service account has it own email address and you can share google drive files/folders with it as you would with any other gmail account.
对于新创建的内容,权限可能是一个问题,但是值得庆幸的是,在文件夹下创建的文件继承了该文件夹的权限,因此您应该在这方面表现出色.
For newly created content, permissions could be an issue, but thankfully files created under a folder inherit that folder's permissions so you should be good on that front.
但是,您必须直接将REST API用于Drive and Sheets服务;通过UrlFetch调用它们,以及服务帐户的访问令牌(使用OAuth2库生成).
However, you'll have to use the REST APIs for Drive and Sheets services directly; calling them via UrlFetch along with the access token (generated using the OAuth2 library) for the Service Account.
您需要设置一个单独的Apps Script项目,并构建一个可由第三方调用的公共API(非私有函数的集合).
You'll need to setup a separate Apps Script project and build out a public API (collection of non-private functions) that can be called by a 3rd party.
一旦脚本与主Web App绑定到相同的GCP项目,则需要在IAM(身份访问管理)面板下的GCP控制台中生成额外的OAuth2凭据.
Once the script is bound to the same GCP project as the main Web App, you'll need to generate extra OAuth2 credentials from GCP console under the IAM (Identity Access Management) panel.
您将使用客户端ID和客户端密钥来生成特定于您帐户的刷新令牌(使用OAuth2库).然后,您将在主Web应用程序中使用此刷新令牌来为API可执行文件生成必需的访问令牌(也使用OAuth2库).与之前的场景一样,您需要使用UrlFetch来使用生成的访问令牌在API可执行文件上调用方法.
You'll use the Client ID and Client Secret, to generate a refresh token specific to your account (using the OAuth2 library). Then you'll use this refresh token in your main Web App to generate the requisite access token for the API executable (also using the OAuth2 library). As in the previous scenario, you'll need to use UrlFetch to invoke the methods on the API Executable using the generated access token.
值得注意的是,您不能在API可执行代码中使用触发器,因为这些触发器是不允许的.
One thing to note, you cannot use triggers within the API executable code as they are not allowed.
很显然,我已经掩盖了很多细节,但这足以让您入门.
Obviously, I've glossed over a lot of the details but that should be enough to get you started.
祝你好运.
这篇关于当有人像我一样运行Google Apps脚本网络应用程序时获取用户信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
