Does using Companion needs OAuth API App Verification?

[iamsaurabhgupt]

Hi Team,

Google is making Google Drive to be a restricted scope for accessing Drive API. https://support.google.com/cloud/answer/9110914

We plan to use Uppy and companion to allow users to upload media files from their Google Drive folders. Does it also require app verification / approval from Google if companion is hosted on Google/Aws serverless platform? If the app consent screen is not approved by Google, it will show as "App Unverified" on the consent screen and the user will not give access. So, does Google's verification still applies to Companion or is there a way out? Please help.

[ifedapoolarewaju]

Google requires an app review for apps who use Restricted and Sensitive scopes.

Companion requires the drive.readonly scope

Looking at this list of Restricted scopes, you'll find the drive.readonly scope in there.

So I'm afraid yes, there'd be a need for Google to review your app in order to verify it.

[ifedapoolarewaju]

closing based on the comment above ☝️

[cognettings]

Sorry to revisit an old thread, but part of the verification process involves running a vulnerability scanner on the application using Google Drive. Looks like a static analysis of the code would be fine, but I'm a little confused on how much I need to scan. Has anyone here scanned Companion and gotten through the verification process? (If there's somewhere else I should ask this, please direct me.)

I installed Companion and scanned it (along with its node_modules folder) with Fluid Attacks. After taking hours to complete, it reported 208 vulnerabilities. Some of these were related to libraries that won't be used at runtime (e.g. grunt, uglify). However, in order to meet Google's requirement, all vulnerabilities reported by the scanner need to be fixed. This would include vulnerabilities in Express, Lodash, Moment, and others. Looks like upgrading some of the dependencies would resolve the issues, but I don't know what, if any, issues that might cause.

Here's part of the email I received from Google:

1 - Tier 2 Self Scan Using Open Source Tools Follow the CASA Tier 2 procedures to self scan your application Fix any CWEs flagged by your scan Register or log-in to the CASA portal and initiate your security assessment Submit your scan results and fill out the CASA questionnaire on the portal Receive the results and validation report in the CASA portal The CASA portal will automatically share the Letter of Validation with Google. 2 - Tier 2 Self Scan Using Commercial Tools Follow the CASA Tier 2 procedures to self scan your application using commercial pre-approved tools Fix any CWEs flagged by your scan Register or log-in to the CASA portal and initiate your security assessment Submit your scan results and fill out the CASA questionnaire on the portal Receive the results and validation report in the CASA portal The CASA portal will automatically share the Letter of Validation with Google. You can use any CWE-compatible app scanning tool(s) that meet the CASA scan requirements. A list of commercial and open source options (not comprehensive) are provided below as example CWE compatible tools Veracode LDRA Burp Suite Sonar Oversecured Fortify Acunetix Checkmarx 3 - Tier 2 Authorized Lab Scan Alternatively, we worked with the CASA authorized labs to provide a low cost Tier 2 alternative for developers who want to work with a lab to conduct the assessment. Contact any CASA authorized lab to conduct your Assessment. NOTE: If you opt to complete a Tier 2 assessment with a CASA authorized lab, you are not required to initiate an assessment on the CASA portal and fill out the questionnaire.

[crnamatt]

This has taken weeks/months to get to the point of requiring the scan @cognettings mentioned. I wish I had known about that added requirement previously. Based on the experience I've had here, I'd never recommend Uppy. There should be a way to reduce the scope. Based on Google's review process, drive.file would have been a sufficient scope for our project, but there's no way to change. If Uppy could fix that, I'm sure they'd be in better shape in terms of growth/popularity.

[markjongkind]

We're currently in the verification process to get approved for the drive.readonly scope. The review team told us the application should function with a drive.file scope from the Google Picker API as well. Tried to make it work, but got this error: provider.drive.list.error HTTP 403: Request had insufficient authentication scopes.

The drive.readonly scope is a restricted scope, which means:

• verification length: 8 weeks
• will require privacy and security verification prior to access

@ifedapoolarewaju Would it be possible to add a config to choose between drive.file scope from the Google Picker API (verification in 2-6 days) or the drive.readonly scope from the Google Drive API (verification in 8 weeks + requires privacy and security verification)?

[cognettings]

The docs for Drive's api scopes seem to suggest that drive.file won't work.

View and manage Drive files and folders that you open or create with an app.

Since Uppy/Companion didn't create the files in Drive they wouldn't have access. Though, "open" seems ambiguous to me. Maybe it mean "opened from a local source then saved to Drive"...

Anyways my current, hopefully temporary, solution is to extract the Drive provider from the Companion server and run it as its own server which posts the files to my main web server to be uploaded to S3. I'm aiming to isolate as much of the Google Drive stuff as possible so there won't be much to scan (the scanner keeps reporting vulnerabilities that I'm not sure how to fix). So, in the end, I'll have three servers: web server, companion server, companion server for Drive. Web server proxies the companion routes to the companion servers.

I think this should all work but this whole process has felt kind of...icky?

[Murderlon]

I understand everyone's frustrations but note there is nothing we can do to reduce the scope. In order to download files, we need at least drive.readonly which falls into the restricted category and thus needing verification.

Note that you can use Companion with Transloadit credentials so you can go to production immediately. But be aware that users might be confused if they see "Transloadit" requesting access rather than your company name.

Lastly, we'll try to come up with some sort of report that could be used by everyone to smoothen the verification process.

[cognettings]

A report of some kind to help fast-track the verification process would be great to have! Personally I don't mind users seeing "Transloadit", but unfortunately it's not my decision at the moment.

Additionally, I would like to say that Uppy/Companion are pretty damn awesome and I appreciate all the hard work going in to it! I think my frustration is more due to having everything else ready to go, but others not wanting to release until Google Drive is ready too.

[markjongkind]

I now see why the drive.file scope won't work.

@Murderlon Thanks for the suggestion to use the Transloadit credentials, that could be a temporary solution while we're waiting for the verification process with Google.

Maybe helpfull to add a warning to the Google Drive docs mentioning: to use the Google Drive Companion Plugin, you have to complete the verification process with Google for the drive.readonly scope, which can take up to 8 weeks.

[Murderlon]

Created an issue for it: https://github.com/transloadit/uppy.io/issues/181

[surajrathod007]

@markjongkind Has your verification process been done?

[markjongkind]

@markjongkind Has your verification process been done?

We've put the verification process on-hold and will reevaluate everything next month.

[cognettings]

Hey all, in case anyone was looking for options on working around Google Drive for the time-being. My current solution involves using the Google Picker API. Luckily that API doesn't require my application to go through the security assessment. So when the Drive icon is clicked, I open Google's Picker UI instead. I have it communicate with the Uppy Dashboard to show upload progress to my server (instead of Companion) for uploading to S3. The other providers work as normal and communicate with Companion.

It works well enough for right now. More info (and screenshots) on the Uppy forums.

[StrixOSG]

+1 for this @cognettings. Hey @mifi could we possibly get an implementation of the Google Picker UI or an option to do so client side? @cognettings has already wrote some great code for it, that seemingly just works. Since we can't really get around using the https://www.googleapis.com/auth/drive.readonly as mentioned in my previous issue you had taken a look into #4793 I figure this might be a great solution?

[Murderlon]

It's not a priority at the moment but if someone creates a community plugin we would be happy to link to it. We'd also happily accept a PR to add it to our code base as a different plugin.