search

nprapps / app-template

The NPR visuals team's opinionated project template for client-side apps.
http://blog.apps.npr.org/2014/07/29/everything-our-app-template-does.html
MIT License
1.55k stars 194 forks source link

Check the Google Apps scope that our app is requesting #608

Closed mileswwatkins closed 5 years ago

mileswwatkins commented 6 years ago

We recently had an issue where our Google Drive OAuth access was flagged by Google as "high risk." It had to be white-listed in an admin dashboard somewhere. According to Paul Miles:

It could also be that the app is requesting a scope that is more than what it needs to do. I also think there could be an additional bug, because supposedly apps created by us are supposed to be automatically trusted.

We should be requesting absolute-minimum scope for what the Google OAuth token is needed for (ie, offline caching of documents). Check that that is true right now!

thomaswilburn commented 5 years ago

These scopes seem perfectly normal to me--certainly they're what we'd need to do what it is that the template does. We could be more specific with Drive, but we need enough access that I think the API-wide scope is justified.