Fetching with a Javascript column—

This may be the greatest thing I’ve seen in a while. Solved a very important use case of mine…details to follow!

Note: As @Jeff_Hager mentions below, this should be used with extreme discretion.

3 Likes

I think one potential gotcha is that some snooping could easily reveal that header information, including the authentication token.

I believe a glide webhook is executed server side, so there is a little bit of protection there, especially if you utilize the webhook password, since it’s never revealed to the client. But a javascript column is executed client side, so it’s reasonably easy to debug that code as it runs.

Just something to consider depending on what kind of endpoint you are connecting to and how secure the data needs to be.

1 Like

Gotcha. Thanks. Ya, this is an internal app where the data is just whether a user is free or busy…so no sensitive data being passed…but will definitely keep this in mind.

1 Like

Hola Jeff,

I wonder if we use JS code parameters (p1, p2, p3) to hide sensitive information, will it improve security (or at least, make it harder the spying)?

Something like…

var data= await fetch(p1, {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Authorization': p2
    },
});

I’d be most concerned about the authentication token. With the code executed client side, there is no way to fully secure that, and so there is always the possibility it could leak.

I’d be less concerned about the data, as presumably whatever is returned will be displayed in the App. So there is probably no reason to try and hide that.

1 Like

Parameters won’t help. You can debug any computed column, including the javascript column, and see the data that’s passing through them. You can also set a watch on any variable in that code. There’s no way to fully secure what’s happening on the client end. I’m not saying it’s easy to see the data, but if you specifically know what to look for then you can still track down what those values are. I think Glide obfuscates their code, so it’s a mess to look at, but still can be debugged.

In comparison to webhooks, I’m pretty sure that webhooks run server side. That way glide can inject the webhook password into the header without the client device ever having knowledge of that password.

3 Likes

Hi all, I have some problems with this fetchs calls. My code works but when I try to add some functions never works again.

I try to fetch a GET or POST service implemented in the gsheet of the glide project, so, all are vinculated.

My glide script in java is the following, with a develope URL for web app in appscript:

var url = ‘https://script.google.com/macros/s/AKblablablablablablablabla/dev?action=do’;
var options = {
method: ‘GET’,
headers: { //note, I try with many headers/content-types
‘Content-Type’: ‘application/x-www-form-urlencoded’,
},
};

//FETCH
var data = await fetch(url, options);

//RESPONSE
const json = await data.text();
return json;

Always I get “Failed to fetch”
The doGet method in de google sheet do nothing special, for testing porpouse.
function doGet(e) {
Logger.log(‘doGet’, Date());
return ContentService.createTextOutput(‘0’).setMimeType(ContentService.MimeType.TEXT);
}

Anyone knows why this scenario works two days ago but nothing happend today when I try to work with them? Because almost once this works means no token info are needed.

I don’t want to work with flags in cells to trigger appscript events, I want to call GET or POST app web.

Any help?

Hola Juan!

At first glance, it seems your web app version was erased or has some syntax error (URL).

Also, you are using a development/test version and it will work with Google tools (e.g. Chrome) but with Glide, you must use a production version already deployed and authorized

So, the URL of your deployed web application must contain the “/exec” parameter and not “/dev”. Something like:

https://script.google.com/macros/s/AKblablablablablablablabla/exec?action=do’;

Espero te sirva, saludos!

2 Likes

You right! with the production URL the fetch works fine… is a petty because I need to work in the appscript a while and I need to test from Glide, so I will to deploy for each change. But, it works
Thanks!

1 Like