NodeMailer-使用Google服务帐户发送邮件失败,因为“用户名和密码未接受” [英] NodeMailer - send mail with Google service account fails because "Username and Password not accepted"
问题描述
我正在创建一个Twitter机器人,并且正在实现一种方法,如果发生错误,该方法会向我发送电子邮件。因为我已经在使用Google API来访问Google云端硬盘(这里没有问题),所以我决定使用该服务帐户发送电子邮件(Google控制台说可以使用这种方式)
I'm creating a Twitter bot and I'm implementing a method that sends me a email if there is an error. As I'm already using the google API to access Google Drive (have no problem here), I decided to use the service account to send the email (Google console says it could be used that way)
到目前为止,我提出的发送电子邮件的方法是:
The method I've come up to send the email so far is:
var config = require('./config/mail');
var google = require('./config/google');
var nodemailer = require('nodemailer');
var send = function (args) {
let transporter = nodemailer.createTransport({
'service': 'gmail',
'auth': {
'type': 'OAuth2',
'user': google.client_email,
'serviceClient': google.client_id,
'privateKey': google.private_key
}
});
transporter.on('token', token => console.log(token));
let message = {
'from': `"${config.serverFromName}" <${config.serverFromMail}>`,
'to': args.to,
'subject': args.subject,
'text': args.text,
'html': `<p>${args.text}</p>`
};
transporter.sendMail(message, (err, info) => {
if (err) {
console.log('Mail couldn\'t be sent because: ' + err);
} else {
console.log('Mail sent');
}
});
};
config / google 文件包含数据创建服务帐户时Google为您生成的信息。 config.serverFromName 和 config.serverFromMail 是发件人的名称和电子邮件(与服务帐户ID不同) )。 args 包含配方电子邮件和内容
The config/google file contains the data that Google generates for you when you create a service account. config.serverFromName and config.serverFromMail are the name and email of the sender (not the same as the service account id). args contains the recipent email and the content
当我测试send方法时,我收到了以下消息控制台:
When I test the send method, I got the following message in my console:
Mail couldn't be sent because: Error: Invalid login: 535-5.7.8 Username and Password not accepted. Learn more at
535 5.7.8 https://support.google.com/mail/?p=BadCredentials z123sm543690vkd.10 - gsmtp
我知道令牌创建正确,因为我创建的侦听器正在打印令牌:
I know the token is being created correctly because the listener I created is printing it:
{ user: 'name@project.iam.gserviceaccount.com',
accessToken: 'ya29.ElmIBLxzfU_kkuZeyISeuRBeljmAe7HNTlwuG4K12ysUNo46s-eJ8NkMYHQqD_JrqTlH3yheNc2Aopu9B5vw-ivEqvPR4sTDpWBOg3xUU_4XiJEBLno8FHsg',
expires: 1500151434603 }
在Internet上搜索时,我发现OAuth范围可能有问题。但是,所有讨论此问题的信息都涉及使用客户端ID,而不是服务帐户。我也没有在Google开发人员控制台中找到该选项。
Searching on the Internet I found that it may be a problem with the OAuth scope. However, all the info that talks about it refers to using Client IDs, not service accounts. I don't find that option in the Google developer console, either.
任何关于我做错事情的想法吗?
Any ideas of what I'm doing wrong?
推荐答案
底线:nodemailer不能具体描述Google描述服务帐户的方式。但是有一种方法!
Bottom Line: The specific way Google describes a service account is INCOMPATIBLE with nodemailer. BUT there is a way!
我刚刚花了无数个小时来解决同一问题!我得出的结论是,Google的管理控制台已间接删除了此功能的一半。控制台没有提供一种通过服务帐户首次授权(用户接受同意屏幕的用户)所需范围的方法。
I have just spent countless hours myself up over this same issue! I have come to the conclusion, Google's Admin Console has removed half this capability indirectly. The console does not provide a way to authorize (a user accepting the consent screen) the desired scope the very first time with a service account.
首先,请遵循 Node.JS快速入门说明,以供Google Drive API授权范围并接收
First up, follow the Node.JS Quickstart instructions for Google Drive API to authorize a scope and receive a refresh token.
-
转到 console.developers.google.com ,构建OAuth2.0客户端ID,然后下载client_secret.json文件。
Go to console.developers.google.com, build a OAuth2.0 Client Id, and download the client_secret.json file.
创建一个单独的临时模块文件夹,并使用NPM下载Google api模块
Create a separate temporary module folder and use NPM to download google api modules
npm install googleapis
npm install googleapis
npm install google-auth-library
npm install google-auth-library
创建quickstart.js文件
Create a quickstart.js file
将client_secret.json文件放在quickstart.js旁边
Place your client_secret.json file next to quickstart.js
quickstart.js中的第7行是用于定义要允许应用程序访问的范围的数组。根据需要进行修改。强烈建议仅按预期提供访问权限。请参见 Gmail API范围。
Line 7 in the quickstart.js is the array to define the scopes you intend to allow the application to access. Modify it as you see necessary. It is highly recommended to only provision access for what is intended. See Gmail API Scopes.
运行 node quickstart.js
在浏览器中打开URL,进行身份验证,然后将代码从浏览器复制回终端窗口。这将下载一个nodejs-gmail-quickstart.json文件,该文件的位置将在 stdout 中提供。
这是您无法完成的部分服务帐户。此操作将SCOPES数组中提供的范围授权给下载的access_token&刷新令牌。
Open the URL in a browser, authenticate, and copy the code from the browser back into the terminal window. This will download a nodejs-gmail-quickstart.json file which the location will be provided in stdout.
This is the part you are unable to accomplish for a Service Account. This action authorizes the scopes provided in the SCOPES array to the downloaded access_token & refresh token.
注意:access_token的寿命为1小时。
NOTE: access_token's have a lifespan of 1 hour. refresh_token's are immortal.
现在,您已经拥有一个授权的refresh_token!
接下来是在 Nodemailer 中使用3LO设置您的auth对象。我将更多地看下面的示例,因为并非所有值都是必需的。我的身份验证如下所示:
Now you have an authorized refresh_token! Next is setting up your auth object with 3LO in Nodemailer. I would look more at the bottom examples because not all values are required. My auth looks like this:
const mailbot = nodemailer.createTransport({
host: 'smtp.gmail.com',
port: 587, // TLS (google requires this port for TLS)
secure: false, // Not SSL
requireTLS: true, // Uses STARTTLS command (nodemailer-ism)
auth: {
// **HIGHLY RECOMMEND** ALL values be
// read in from a file not placed directly in code.
// Make sure that file is locked down to only the server daemon
type : 'OAuth2',
user : config.client_email,
scope : "https://www.googleapis.com/auth/gmail.send",
clientId : config.client_id,
clientSecret: secret,
refreshToken: activeToken.refresh_token
// AT RUNTIME, it looks like this:
//type : 'OAuth2',
//user : 'user@gmail.com', // actual user being impersonated
//scope : "", //Optional, but recommend to define for the action intended
//clientId : '888888888998-9xx9x99xx9x99xx9xxxx9xx9xx9x88x8xxx.apps.googleusercontent.com',
//clientSecret: 'XxxxxXXxX0xxxxxxxx0XXxX0',
//refreshToken: '1/XXxXxsss-xxxXXXXXxXxx0XXXxxXXx0x00xxx'
}
});
提示::Gmail将从使用授权用户帐户发送的任何电子邮件中重写FROM字段(用户被假冒)。如果您想对此进行一些自定义,请使用语法 {FROM:’" Display NAME" < user email>'} ,因为电子邮件匹配,它不会覆盖您的显示名称选择。
TIP: Gmail will rewrite the FROM field from any email sent with the authorized user account (user impersonated). If you want to customize this slightly, use the syntax { FROM: '"Display NAME" <user email>' } and it will not overwrite your display name choice since the email matches.
注意:nodemailer将向<带有刷新令牌的href = https://accounts.google.com/o/oauth2/token rel = nofollow noreferrer> https://accounts.google.com/o/oauth2/token
NOTE: nodemailer will make a token request out to https://accounts.google.com/o/oauth2/token with the refresh token to automatically obtain an access_token.
不幸的是,nodemailer缺少将接收到的令牌直接保存到文件中的功能,而只是使用this.emit()。如果服务器保持活动状态,这将不是问题,但是由于我的只是爆炸,它总是会产生延迟,因为每次都会请求一个新的access_token。
Unfortunately, nodemailer lacks the functionality to save a received token out to a file directly but instead just uses this.emit(). If the server stays active it will not be an issue but as mine is only bursting, it will always incur a delay as a new access_token will be requested every time.
[安全] 希望这对您有用!放开使用2LO的服务帐户会带来的私钥加密令人失望,但至少很难以这种Client ID方式进行欺骗。我担心安全性,但阅读更多内容后,我对这个实现还可以。请参见 Google身份平台(Nodemailer使用HTTP / REST详细信息)并给出
[SECURITY] Hopefully this works for you! It is disappointing to loose the private key encryption a service account with 2LO would bring but at least this Client ID way is very hard to spoof. I was concerned about security but reading more I am okay with this implementation. See Google Identity Platform (Nodemailer uses the HTTP/REST details) and given
[1] Google的OAuth 2.0端点位于
https://accounts.google.com/o/oauth2/v2/auth 。该端点是
,只能通过HTTPS访问。普通的HTTP连接被拒绝。
[1] Google's OAuth 2.0 endpoint is at https://accounts.google.com/o/oauth2/v2/auth. This endpoint is accessible only over HTTPS. Plain HTTP connections are refused.
[5] Web服务器收到授权代码后,可以将
的授权代码交换为访问令牌。
[5] After the web server receives the authorization code, it can exchange the authorization code for an access token.
您正在使用TLS进行初始连接以获取授权码,然后将其与您的客户端ID数据进行匹配,并使用refresh_token(您必须经历上面所做的麻烦)然后您
you are using TLS to connect initially for an authorization code, then matching it with your client ID data, and a refresh_token (you must go through the hassle we did above) then you can receive an access_token to actually interact with Google APIs.
,只要您保持OAuth2.0客户端ID(高度随机的用户名),机密和将令牌尽可能独立,安全和隐藏地刷新,您应该可以安然入睡。 好运!
这篇关于NodeMailer-使用Google服务帐户发送邮件失败,因为“用户名和密码未接受”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
