search

nytimes / library

A collaborative documentation site, powered by Google Docs.
https://nyt-library-demo.herokuapp.com/
Apache License 2.0
1.15k stars 144 forks source link

Support for upcoming changes to Drive API Permissions? #288

Open ChrisC opened 3 years ago

ChrisC commented 3 years ago

Problem Description

We received an email from Google API warning about Drive API permissions changes on Sept 13, 2021 on our Library project. Will Library continue to work when these changes go into effect?

Additional Information

Some further context from Google's communications: We are writing to let you know that on September 13, 2021, Drive will apply a security update that will change the links used to share some files, and may lead to some new file access requests. Access to files won’t change for people who have already viewed or modified these files.

Please update your code as detailed below before September 13, 2021, to avoid failing requests.

What do I need to know?

Items that have a Drive API permission with type=domain or type=anyone, where withLink=true (v2) or allowFileDiscovery=false (v3), will be affected by this security update.

In addition to the item ID, your application may now also need a resource key to access these items. Without a resource key, requests for these items may result in a 404 Not Found error (See below for details). Note that access to items that are directly shared with the user or group are not affected.

Will this change affect me?

If your application uses the Drive API to access files which have been shared with a user through link sharing, your application may be affected by this change.

What do I need to do?

To avoid errors accessing files, you must update your code for accessing files to include the appropriate resource keys. Details on how to do this for each of the affected Drive APIs is included below:

Changes to the Drive API

The resource key of an item is returned on the resourceKey field of the file metadata in the Drive API response.

If the file is a shortcut file, then the resource key for the target of the shortcut can be read from the shortcutDetails.targetResourceKey field of the same resource. URL type fields such as exportLinks, webContentLink, and webViewLink will include the resourceKey. Requests to the Drive API can specify one or more resource keys with the X-Goog-Drive-Resource-Keys HTTP request header. Learn more about this change from the Drive API guide.

afischer commented 3 years ago

Hey @ChrisC, thanks for posting this. From what I can tell, this should not cause issues with Library as it is currently set up. That said, we will be monitoring the API change closely and make whatever adjustments necessary to keep the app working as expected.