I have a google apps script that has an API key set as a property (getScriptProperties()). The script is attached to a spreadsheet. Will users of the spreadsheet conceivably have access to the API key? Would this be different if said property were contained in a library the script invoked?
CodePudding user response:
Will users of the spreadsheet conceivably have access to the API key?
Yes, if stored in Script/Document properties. User properties are also accessible, if the user has installed a trigger.
Would this be different if said property were contained in a library the script invoked?
Kind of. As written in resource scoping, Script properties are not shared, i.e., library has it's own instance of script properties. Although it's not shared automatically, you should be careful not to code in such a way to give access to the end users(i.e., The actual fetch should happen in the library. Secrets should never reach user code). It may still be possible to access the tokens through debugger, overriding methods(see link below). User properties are shared.
Related:
Securely Storing API Secrets used in Google Apps Script - Published Library
What is the appropriate way to manage API secrets within a Google Apps script?