Google drive api important security update

###### tags: `Google drive api` `api change requires updates` # Google drive api important security update ## 使用時機 > 因應Google drive api Notice: important security update for Drive document URLs and resource keys. For more information, refer to Access link-shared files using resource keys ## 受影響的系統清單 | System | Sponsor | Status | | ----------------------|----------------|----------| | AI優化觀察名單(Google) | Mike/Robin | | | AI優化觀察名單(Facebook)| Elmo | | | 再行銷名單自動匯入 | Robin | | ## 不懂的地方 1. [http post ](https://developers.google.com/drive/api/v3/manage-uploads#simple) 沒看到有放入credention的地方 maybe answer [try it now](https://developers.google.com/drive/api/v3/reference/files/copy#try-it) ## Mike 整理的solution... ### 甚麼東西會受到影響如果應用程序使用 Drive API 訪問通過**鏈接共享與用戶共享**的文件，則應用程序可能會受到此更改的影響。 ### 需要做甚麼為避免訪問Files時出錯，必須更新訪問File的code以包含適當的**resource key**。 > In addition to the item ID, your application may now also need a resource key to access these items. Without a resource key, requests for these items may result in a 404 Not Found error (See below for details). **Note that access to items that are directly shared with the user or group are not affected.** > Items that have a Drive API permission with type=domain or type=anyone, where withLink=true (v2) or allowFileDiscovery=false (v3), will be affected by this security update. 所以我們公司的東西應該不會受到影響 ### 針對甚麼有改變 1. If the file is a shortcut file, then the resource key for the target of the shortcut can be read from the shortcutDetails.targetResourceKey field of the same resource. 2. URL type fields such as exportLinks, webContentLink, and webViewLink will include the resourceKey. 3. Requests to the Drive API can specify one or more resource keys with the **X-Goog-Drive-Resource-Keys HTTP** request header. 4. Changes to Apps Script The DriveApp from Apps Script has been updated to return the resource key of a file or folder with the getResourceKey method. > > Note: When fetching a file or folder, the resource key can be specified on the getFileByIdAndResourceKey or getFolderByIdAndResourceKey methods. ### 要讀的連結 1. [Files](https://developers.google.com/drive/api/v3/reference/files) 2. [Access link-shared files using resource keys ](https://developers.google.com/drive/api/v3/resource-keys) 3. [Class DriveApp](https://developers.google.com/apps-script/reference/drive/drive-app) 4. [integrating with the Drive UI](https://developers.google.com/drive/api/v3/enable-sdk) 5. [permission](https://developers.google.com/drive/api/v3/manage-sharing) > A permission for a file. A permission grants a user, group, domain or the world access to a file or a folder hierarchy ### 我覺得的重點 1. getFolderByIdAndResourceKey(id, resourceKey) > Gets the folder with the given ID and resource key. Resource keys are an additional parameter which need to be passed to access folders that have been **shared using a link**. > > Throws a scripting exception if the folder doesn't exist or the user doesn't have permission to access it. 2. getFolderById(id) > Gets the folder with the given ID. Throws a scripting exception if the folder does not exist or the user does not have permission to access it. ### 似乎只有這些受到影響 [Google to add security resource key to certain Drive files](https://oit.ncsu.edu/2021/07/15/google-to-add-security-resource-key-to-certain-drive-files-and-youtube-video-links/) Drive Files If applied, the security update will impact non-native public Drive files and publicly shared folders in Drive created prior to **2017**. Non-native files are those created outside of Google Workspace (e.g., Microsoft Office files, pdfs) and uploaded to Drive. Users who previously viewed the file will still have access, but other users will not be able to access it via the original link, so file access requests may increase. [沒用到permissions就不需要擔心](https://wordpress.org/support/topic/upcoming-google-security-update/) ## 要做的事情 ### 1. 印出重點drive file 的 field 欄位值 ==> 確認是否有受這次change 影響 1. 先找出重點File的FILEID， 2. 利用FileID找出permissionID， 3. 最後利用FileID加上permissionID來取得PERMISSION 以上可以用GOOGLE的try api來完成 ![](https://i.imgur.com/zhReB7I.png) ![](https://i.imgur.com/RpuENt3.png) ![](https://i.imgur.com/suxjBPc.png) 我們的type是user 並沒有信件中提到的 > Items that have a Drive API permission with type=domain or type=anyone, where withLink=true (v2) or allowFileDiscovery=false (v3), will be affected by this security update. > 另外關於allowFileDiscovery，根據文件只有在type是domain或是anyone時才有 > Whether the permission allows the file to be discovered through search. This is only applicable for permissions of type domain or anyone. ### 2. 如何取得Drive api access token >ANS:已經解決，透過Oauth 2.0 playground >[看這篇筆記](https://hackmd.io/X0Td75_eRnq5hq51dLeWGg) >可以同時取得access token還有refresh token ### 3. 練習用drive web tool send request / postman sendrequest 在這裡取得資源需要兩個東西，一個是API KEY，另外一個是access token，access token有時效性，所以需要透過第二點的Oauth 2.0 playground平台來取得 #### drive web tool drive web tool可以直接send request，不需要設定API KEY那些東西 ![](https://i.imgur.com/FrRlqhd.png) #### postman sendrequest ``` Get request https://www.googleapis.com/drive/v3/files/fileID ``` > fileID是pathvariable的形式，請放入你的檔案的fileID params ``` field:kind%2Cowners%2Cname key:APIKEY(可在GCP上獲得) ``` > field決定你想要得到哪些資訊欄位，可以參考[Google官方文件的File Resource representations](https://developers.google.com/drive/api/v3/reference/files)並且我們使用**%2C**來隔開 Headers ``` Authorization:Bearer ya29.a0ARrdaM-ppsPDe946r02_AKZ07d3aYbMJ9vJhWJo7mMIq2EC_5iXDBbhAGnxMEuDxpevKQyH7N0PE1kfexb6eWKuZM07Sb5WpS-V0YntSd-hKR6765TD19UwKgVYM6rUWmhLEOkmuJE5w-KH_jwVJC_l9vrMq Accept:application/json ``` > Bearer後面空一個空白然後加上access token ![](https://i.imgur.com/DaEjGgK.png) ![](https://i.imgur.com/reWKYyz.png) ### 4. 如何取得resource key ### Oauth2.0 doc [oauth2](https://translate.google.com/translate?hl=zh-TW&sl=en&tl=zh-TW&u=https%3A%2F%2Fdevelopers.google.com%2Fidentity%2Fprotocols%2Foauth2&anno=2&prev=search)