search

brendanhay / gogol

A comprehensive Google Services SDK for Haskell.
Other
281 stars 105 forks source link

Incorrect OAuth scopes (possibly throughout the library) #143

Open saurabhnanda opened 4 years ago

saurabhnanda commented 4 years ago

With Google clamping down on OAuth scopes being available to API clients [1], it is very important to make API calls with the LEAST "intrusive" scope. To give an example, here are the docs of spreadsheets.create (emphasis mine):

Requires one of the following OAuth scopes:

However, v0.5.0 of the library requires ALL of the scopes to make this API call:

type instance Scopes SpreadsheetsCreate
  = '["https://www.googleapis.com/auth/drive",
      "https://www.googleapis.com/auth/drive.file",
      "https://www.googleapis.com/auth/spreadsheets"]
    -- Defined in ‘Network.Google.Resource.Sheets.Spreadsheets.Create’

I have tried making this API call with the least restrictive (and in fact "free-to-use" OAuth scope), i.e. https://www.googleapis.com/auth/drive.file" and it seems to work.

[1] A lot of scopes are now classified as restricted and/or sensitive, and one has to complete a lengthy verification process to get access to these scopes in an external/production app.

saurabhnanda commented 4 years ago

Does anyone know where this file is coming from? https://github.com/brendanhay/gogol/blob/develop/gen/model/sheets/v4/sheets-api.json

I guess the autogen infra is emitting Haskell code according to this file.

saurabhnanda commented 4 years ago

I'm reading https://github.com/brendanhay/gogol/blob/develop/gen/README.md -- what kind of stuff can go into the annex/**.json files? Can we override the service descriptions via the corresponding annex file?