search

webOS-ports / luneos-testing

Public testing images for LuneOS
4 stars 1 forks source link

Google C+DAV: Fix "Google hasn't verified this app" #5

Open Herrie82 opened 2 years ago

Herrie82 commented 2 years ago

Describe the bug Google upgraded it's security, we now need to verify our C+DAV Connector. Since the original developer is no longer actively involved, set it up under another account.

To Reproduce Try to add Google C+DAV Account, you will get the warning screen.

Expected behavior No warning screen.

Screenshots GoogleVerified

Smartphone (please complete the following information):

Additional context Add any other context about the problem here.

Herrie82 commented 2 years ago

@Garfonso Any chance you could share the settings (scopes mainly I guess) you have for the C+DAV in your Google Dev Console? Seeing we have to update the code anyway after Google's most recent change to OOB flow as per https://developers.google.com/identity/protocols/oauth2/resources/oob-migration

It might be a good idea to take ownership of the credentials as well at our end using webos.ports@gmail.com so we can manage it from there.

Garfonso commented 2 years ago

I'm willing to help, but I did not yet find out how to find that information on Googles Development stuff... if you can give me any further hints... Yes, it probably would be a good idea to take ownership with a webos ports account.

Herrie82 commented 2 years ago

@Garfonso Thanks as always :)

I'm also not sure yet, because I didn't set it up myself yet at our end:

https://console.cloud.google.com/home/dashboard should show you which API's you have I guess and their credentials and scopes?

Otherwise maybe in https://console.cloud.google.com/apis/dashboard or https://console.cloud.google.com/apis/credentials

Garfonso commented 2 years ago

I dug a bit more and found mostly usage statistics and Client Keys. From that I learned, that the connector mostly uses the Caldav-v2 API: https://developers.google.com/calendar/caldav/v2/guide?hl=de

Also, the scopes that are requested are hard-coded in the apps, it seems: https://github.com/webOS-ports/org.webosports.service.contacts.carddav/blob/b57a9743bd42d6928662800dae61305b5b18a292/app/app/assistants/account-setup-google-assistant.js#L31

and https://github.com/webOS-ports/org.webosports.service.contacts.carddav/blob/b57a9743bd42d6928662800dae61305b5b18a292/app-enyo/GoogleOauth/CrossAppTarget.js#L60

I know that it was a pain to fiddle out the scopes, but I can not really remember doing much more than creating a Client ID and client secrets in the Google console.

BTW, those are hard coded in the two app-files: https://github.com/webOS-ports/org.webosports.service.contacts.carddav/blob/b57a9743bd42d6928662800dae61305b5b18a292/app-enyo/GoogleOauth/CrossAppTarget.js#L13 and https://github.com/webOS-ports/org.webosports.service.contacts.carddav/blob/b57a9743bd42d6928662800dae61305b5b18a292/app/app/assistants/account-setup-google-assistant.js#L18

It might be a good idea to, in the long run, find a way to remove the secret from source code. From what I understood at the time of writing this, the only possibility was to use a proxy (i.e. requests without the secret are done against the proxy which will add the secret... not sure if that really improves things).

Anyway, I did a bit of googling, and if I did it right, webos.ports@gmail.com should have an invitation to be owner of the project.

Herrie82 commented 2 years ago

I got the invitation and accepted it, will take it from there :) Thanks for the help!