- #Google oauth rest google drive scope update
- #Google oauth rest google drive scope full
- #Google oauth rest google drive scope verification
I have my external alignment phone call with Leviathan. Since a Chrome extension is by nature, public, the endpoints can easily be grepped from the extension’s JavaScript. My first big to-do is to send them a list of all URL endpoints for the GMass Chrome extension. I create the Slack channel and invite all the relevant members from Leviathan. I fix the issue later that evening and report this to Leviathan who then marks the issue as “resolved”. On the first day of testing, Leviathan finds a SQL injection issue which they determine is critical. The security assessment officially kicks off. Also, Leviathan is no longer accepting new projects for 2019. Looks like Google has added a third security company, NCC, that can perform a security assessment. I don’t know how that happened - Wordzen never went through the security audit.
#Google oauth rest google drive scope full
Additionally, in a Google OAuth miracle, as of 2020, the Cloud Console for the Wordzen project is showing the full scope as an officially approved scope for the Wordzen app. They responded with this detailed explanation which put my concerns at rest. After being sent multiple emails informing me I must undergo the security audit, I wrote back, noting that there are only 25 active users for Wordzen, and since I’m under 100, if Wordzen could continue operating that way. However, I found that Google’s counting of active tokens was flawed, and after complaining enough, they increased my limit from 100 tokens to 200 tokens.įor Wordzen, the outcome was different. I had planned to do this by revoking inactive tokens and forcing users to re-auth periodically. I was at the stage where a security assessment was required, and I informed them that I would not be undergoing the assessment, would happily remain “unverified” and that I would just remain under the 100-user unverified app limit. As a result I created the URL /incident and added this to the footer of the GMass website.įor, in June/July I had a lengthy back and forth with the OAuth team. Even though I had passed the security assessment, they needed to ensure that I had a Vulnerability Disclosure Program set up. I considered engaging Bishop Fox or the new assessor, NCC, for Wordzen and SearchMyEmail, but because both of those apps are non-revenue-generating, I decided against it and to let those apps remain “unverified”, which comes with some interesting quirks. Unfortunately, Leviathan told me they were too busy to review Wordzen.
Wordzen is a much simpler app than GMass and because I now had the knowledge of what a security assessment is, I figured Wordzen would be much easier. After Leviathan completed the assessment of GMass in October, I asked if they would now review Wordzen. In addition to GMass, I have two other apps that use restricted Gmail API scopes, Wordzen and.
#Google oauth rest google drive scope verification
Google then approved the restricted scopes that GMass needed to operate.Īlso in October, Google announced that developers using the Google Sheets v3 API would need to migrate to v4, necessitating a new OAuth verification procedure, one that I’m still navigating. GMass was approved and issued the Letter of Assessment from Leviathan in October. I’ll attempt to summarize what’s happened lately, in this final update. On January 13, I received word that the project had been reviewed, and my access to that scope was no longer.ĭue to time constraints and wanting to keep my sanity, I haven’t posted live updates in a while, though much has happened.
#Google oauth rest google drive scope update
In my previous update on, I mentioned that Wordzen, by some miracle, had managed to still have full access to the omnipotent scope despite skipping the security assessment. We’re doing this for the benefit of the thousands of developers that have yet to begin the process, are thinking about the process, or are frustrated with the process. Earlier I wrote about my feelings on Google’s new verification process for sensitive and restricted Gmail API scopes, and here I’ll be posting live updates of GMass’s journey through the process.
0 kommentar(er)
