Read and write data in Firebase from Apps Script - in a secure way

Question

My goal was to create a table (Google Sheets) that presents some data from Firebase DB - in a readable way.

Goal achieved using this awesome tutorial: https://sites.google.com/site/scriptsexamples/new-connectors-to-google-services/firebase/tutorials/read-and-write-data-in-firebase-from-apps-script

The thing is that this sheet presents a security/privacy hazard - since the "DB secret" is shown in the script. I can't share this sheet/script because of this.

Is there a way, without writing a web-app, to utilize Google Apps Script (with Google Sheets) in a secure way? Maybe by adding some kind of "login" mechanism? Or restricting access to some users (identified by their email)?

Answer 1

Y̶o̶u̶ ̶c̶o̶u̶l̶d̶ ̶m̶o̶v̶e̶ ̶t̶h̶e̶ ̶s̶e̶n̶s̶i̶t̶i̶v̶e̶ ̶c̶o̶d̶e̶ ̶t̶o̶ ̶a̶ ̶s̶t̶a̶n̶d̶-̶a̶l̶o̶n̶e̶ ̶s̶c̶r̶i̶p̶t̶ ̶a̶n̶d̶ ̶d̶e̶p̶l̶o̶y̶ ̶i̶t̶ ̶a̶s̶ ̶a̶ ̶[̶l̶i̶b̶r̶a̶r̶y̶]̶[̶1̶]̶.̶ ̶Y̶̶̶o̶u̶ ̶c̶a̶n̶ ̶t̶h̶e̶n̶ ̶r̶e̶f̶e̶r̶e̶n̶c̶e̶ ̶t̶h̶e̶ ̶l̶i̶b̶r̶a̶r̶y̶ ̶i̶n̶ ̶y̶o̶u̶ ̶c̶o̶n̶t̶a̶i̶n̶e̶r̶-̶b̶o̶u̶n̶d̶ ̶s̶c̶r̶i̶p̶t̶s̶ ̶a̶n̶d̶ ̶t̶h̶e̶ ̶o̶n̶l̶y̶ ̶t̶h̶i̶n̶g̶ ̶y̶o̶u̶'̶l̶l̶ ̶e̶x̶p̶o̶s̶e̶ ̶a̶r̶e̶ ̶t̶h̶e̶ ̶f̶u̶n̶c̶t̶i̶o̶n̶ ̶s̶i̶g̶n̶a̶t̶u̶r̶e̶s̶ ̶a̶n̶d̶ ̶n̶o̶t̶ ̶t̶h̶e̶ ̶c̶o̶d̶e̶ ̶t̶h̶e̶r̶e̶i̶n̶ ̶k̶e̶e̶p̶i̶n̶g̶ ̶t̶h̶e̶ ̶"̶D̶B̶ ̶S̶e̶c̶r̶e̶t̶"̶ ̶s̶a̶f̶e̶.

Y̶o̶u̶ ̶c̶a̶n̶ ̶e̶v̶e̶n̶ ̶a̶d̶d̶ ̶e̶x̶t̶r̶a̶ ̶s̶e̶c̶u̶r̶i̶t̶y̶ ̶a̶n̶d̶ ̶c̶r̶e̶a̶t̶e̶ ̶a̶ ̶w̶h̶i̶t̶e̶-̶l̶i̶s̶t̶ ̶o̶f̶ ̶u̶s̶e̶r̶s̶,̶ ̶a̶n̶d̶ ̶g̶a̶t̶e̶ ̶t̶h̶e̶ ̶c̶o̶d̶e̶ ̶i̶n̶ ̶t̶h̶e̶ ̶l̶i̶b̶r̶a̶r̶y̶ ̶s̶u̶c̶h̶ ̶t̶h̶a̶t̶ ̶a̶c̶c̶e̶s̶s̶ ̶i̶s̶ ̶o̶n̶l̶y̶ ̶g̶r̶a̶n̶t̶e̶d̶ ̶t̶o̶ ̶t̶h̶o̶s̶e̶ ̶o̶n̶ ̶t̶h̶e̶ ̶l̶i̶s̶t̶ ̶s̶i̶n̶c̶e̶ ̶y̶o̶u̶'̶l̶l̶ ̶b̶e̶ ̶a̶b̶l̶e̶ ̶t̶o̶ ̶d̶e̶t̶e̶c̶t̶ ̶t̶h̶e̶ ̶c̶u̶r̶r̶e̶n̶t̶ ̶u̶s̶e̶r̶ ̶v̶i̶a̶ ̶̶S̶e̶s̶s̶i̶o̶n̶.̶g̶e̶t̶A̶c̶t̶i̶v̶e̶U̶s̶e̶r̶(̶)̶.̶g̶e̶t̶E̶m̶a̶i̶l̶(̶)̶̶.

Update 1

Verified @Frank van Puffelen comment, and he is correct in that a library's code can be exposed by linking to the stand-alone script directly. For a user to be able to use a library they need at minimum view-only access, which allows them to see the code using a direct link to the stand-alone script.

But here is a viable solution, you can deploy your script as an add-on and that will ensure that your code remains private. Your users will have to install the add-on to use your script but they won't have access to the code.

---

Update 2

I believe libraries could still be viable for your use-case, but you'd have to go about using them in a round-about sort of way.

So here's how you might go about it:

• Create, not one, but two libraries.

• Share one of those libraries publicly so that your users can access it. Lets call this library LIB_A.

• Store any sensitive data and functionality in the second library; let's call it LIB_B.

• Have LIB_A reference LIB_B. Because LIB_A and LIB_B both belong to the same account, LIB_A can access the contents of LIB_B. However, the contents of LIB_B will not be exposed to your users (as long as it is not shared).

Note that this approach is not without its downsides, your app takes a performance hit whenever you use libraries so the more libraries you use the slower your executions times. So if you have time-critical code in play this may not be the best approach.