CODEWITHSUNDEEP
google-apps-scriptgmail-apigmail-contextual-gadgetsgmail-addons
Andrew Goldberg
Andrew Goldberg

Reputation: 185

Permissions error using UrlFetchApp in Gmail Add-on

I am just starting to try building a new Gmail Add-on, and am running into the following error message:

"You do not have permission to call fetch"

This happens when testing the add-on in the Script Editor, and also when deployed inside my Gmail. Here is a sample of the code:

function getContextualAddOn(e) {
    var API_KEY = 'TESTKEY';
    var URL = 'https://[REDACTED]';
    var options = {
        'method' : 'post',
        'contentType': 'application/json',
        'headers': {
            'x-api-key': API_KEY
        },
        'payload' : JSON.stringify({ 'foo': 'bar' })
    };

    var response = UrlFetchApp.fetch(URL, options);

    [more code that builds a card] 
}

As you can see, it's a pretty straightforward use of UrlFetchApp.fetch. I'm brand new to Apps Script, so maybe I am missing some permissions declaration or scope in my manifest. I tried an even simpler example just using UrlFetchApp.getRequest, but that also failed with "You do not have permission to call getRequest".

The manifest for the addon is the same as in the examples:

{
  "timeZone": "America/New_York",
  "dependencies": {
  },
  "exceptionLogging": "STACKDRIVER",

  "oauthScopes": [
    "https://www.googleapis.com/auth/gmail.addons.execute",
    "https://www.googleapis.com/auth/gmail.addons.current.message.readonly",
    "https://www.googleapis.com/auth/userinfo.email"
  ],
  "urlFetchWhitelist": [
    "https://[REDACTED]"
  ],
  "gmail": {
    "name": "Test Add-On",
    "logoUrl": "some url",
    "primaryColor": "#4285F4",
    "secondaryColor": "#4285F4",
    "contextualTriggers": [{
      "unconditional": {},
      "onTriggerFunction": "getContextualAddOn"
    }],
    "version": "TRUSTED_TESTER_V2"
  }
}

Is UrlFetchApp supposed to be allowed inside a Gmail Add-On, or is this just a bug? Do I need to add something to my manifest or enable some other option in the script editor?

Upvotes: 12

Views: 7830

Answers (3)

bytrangle
bytrangle

Reputation: 1149

The accepted answer was from 2017. I don't know if Google has changed its authorization policy since then, but simply adding a new scope to the Project Properties settings won't work.

How do you trigger the function that call fetch?. You can't use simple triggers to do that. They fire automatically, so they can't access services that require authorization. UrlFetchApp definitely requires permission. There is no way to open a dialog to ask for users' content with simple triggers.

You, as the script owner, can add new authorization scope, but what happens when you deploy this script with end users? How are they going to grant their permission to the script to make API calls to some unfamiliar servers?

To get around this, you need to use installable triggers. Whatever are available in simple triggers, there are equivalent in installable triggers.

Let's assume that you want to call the API on opening the spreadsheet.

From the Script Editor, go to Edit >> Current Project's Triggers and set up a new trigger.

  • Under Run, select the name of the function that you want to trigger. In the OP's case, it's the getContextualAddOn(e) function.

  • Under Select event source, choose From spreadsheet.

  • Under Event type, choose On Open.

  • Configure other settings as you like and save.

Upvotes: 1

Kevin.
Kevin.

Reputation: 2810

Use installable trigger instead and write your own function that you bind to your installable trigger.

https://developers.google.com/apps-script/guides/triggers/installable#g_suite_application_triggers

This solved the issue for me.

Upvotes: 0

Eric Koleda
Eric Koleda

Reputation: 12671

The UrlFetchApp service requires an additional scope, https://www.googleapis.com/auth/script.external_request. Add it to your list of scopes and the code should work.

The scopes required for each Apps Script method is listed under the "Authorization" section in the reference docs (example). Alternatively, you can discover the scopes required by your script by temporarily removing the oauthScopes section of the manifest and viewing the auto-determined scopes for your code in File > Project properties > Scopes. (If you define any scopes in your manifest, this disables the "automatic scope detection" behavior of Apps Script.)

References

Upvotes: 29

Related Questions