Can't POST FormData to a Google Sheet, would like to restrict access to people invited to edit the spreadsheet

Question

I have a simple page with a form, and I decided to offer the option of submitting it to a Google Sheet. It's meant as part of an internal webapp, used by a few collaborators to submit to a spreadsheet shared between us. I would have used a Google Forms but I wanted more control over the form.

I have set up a Google Apps Script bound to the spreadsheet following these instructions and deployed it as web app with:

Execute the app as: Me
Who has access to the app: Anyone, even anonymous

This works fine, I can POST FormData with XMLHttpRequest (vanilla javascript). But so can anyone else, no matter if they're allowed to edit the spreadsheet, even if they're logged out of Google.

I'd like to restrict access to the web app - only people invited to the spreadsheet should be able to use the web app to insert rows. (Which is what I expected in the first place... if you don't have edit permissions you don't get to edit, period.)

At the moment switching the Google Apps Script Deploy as web app settings to anything else results in an 'Access-Control-Allow-Origin' error. I probably have to do something else - either in my page or in the GAS - to handle auth, right?

I want the web app to be deployed as

Execute the app as: User accessing the app
Who has access to the app: Anyone

and when a spreadsheet collaborator visits my page, he can submit the form - provided he's logged into Google.

Answer 1

the google apps script execution api does what you need. its well explained in the official docs:

https://developers.google.com/apps-script/guides/rest/api

its too broad to explain here step by step. you might need to read also about how to make an oauth2 flow from browser javascript.