Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource key may be necessary to access certain shared files #371

Open
achubaty opened this issue Jul 29, 2021 · 7 comments
Open

Resource key may be necessary to access certain shared files #371

achubaty opened this issue Jul 29, 2021 · 7 comments

Comments

@achubaty
Copy link

Just a head's up: a security fix for Google Drive URLs will be rolled out in Sept 2021.

https://arstechnica.com/gadgets/2021/07/heres-what-that-google-drive-security-update-message-means/

Google's new link scheme adds a "resourcekey" to the end of any shared Drive links, making them harder to guess. So a link that used to look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/" will now look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w." The resource key makes it harder to guess.

I'm not sure exactly what updates need to be made to googledrive to account for this change.

@jennybc
Copy link
Member

jennybc commented Jul 29, 2021

Thanks for the heads up and details.

@aldomann
Copy link

Just checking, has this been addressed? As far as I can tell, the package (v2.0.0) is still working as intended, although we are over the 13th Sept 2021 deadline.

@jennybc
Copy link
Member

jennybc commented Sep 15, 2021

I haven't changed anything yet, no.

As for the deadline passing, I find this is often how deadlines go with Google service changes. Of course, we can't count on it, but the transition period often ends up being longer (sometimes MUCH longer, like years) than officially indicated.

But I'm not counting on that. I'm just working on something that's a higher priority atm.

@jennybc
Copy link
Member

jennybc commented Oct 29, 2021

https://developers.google.com/drive/api/v3/resource-keys

https://workspaceupdates.googleblog.com/2021/06/drive-file-link-updates.html

Developers: Items that have a Drive API permission with type=domain or type=anyone, where withLink=true (v2) or allowFileDiscovery=false (v3), will be affected. In addition to the item ID, your application may now also need a resource key to access these items. Use our Developer resource to learn more about how this update will impact your projects.

where the "developer resource" they refer to is the first link above.

@jennybc
Copy link
Member

jennybc commented Oct 30, 2021

Quoting from https://stackoverflow.com/a/69099793:

API to get the file

https://www.googleapis.com/drive/v3/files/${file_id}?fields=*

https://developers.google.com/drive/api/v3/reference/files

- shortcutDetails.targetResourceKey string  The ResourceKey for the target file.    
- resourceKey   string  A key needed to access the item via a shared link.

So a link that used to look like https://drive.google.com/file/d/${file_id}/

will now look like https://drive.google.com/file/d/${file_id}/view?resourcekey=xxxx-xxxx-xxxx-xxx

@jennybc
Copy link
Member

jennybc commented Oct 30, 2021

Email I received 2021-08-10

Hello Google Drive Developer,

We have identified you as a Developer who has used the Drive API in the last 30 days. We are writing to let you know that on September 13, 2021, Drive will apply a security update that will change the links used to share some files, and may lead to some new file access requests. Access to files won’t change for people who have already viewed or modified these files.

Please update your code as detailed below before September 13, 2021, to avoid failing requests.

What do I need to know?
Items that have a Drive API permission with type=domain or type=anyone, where withLink=true (v2) or allowFileDiscovery=false (v3), will be affected by this security update.

In addition to the item ID, your application may now also need a resource key to access these items. Without a resource key, requests for these items may result in a 404 Not Found error (See below for details). Note that access to items that are directly shared with the user or group are not affected.

Will this change affect me?.
If your application uses the Drive API to access files which have been shared with a user through link sharing, your application may be affected by this change.

What do I need to do?.
To avoid errors accessing files, you must update your code for accessing files to include the appropriate resource keys. Details on how to do this for each of the affected Drive APIs is included below:

Changes to the Drive API.
The resource key of an item is returned on the resourceKey field of the file metadata in the Drive API response.

If the file is a shortcut file, then the resource key for the target of the shortcut can be read from the shortcutDetails.targetResourceKey field of the same resource.
URL type fields such as exportLinks, webContentLink, and webViewLink will include the resourceKey.
Requests to the Drive API can specify one or more resource keys with the X-Goog-Drive-Resource-Keys HTTP request header.
Learn more about this change from the Drive API guide.

Changes to Apps Script.
The DriveApp from Apps Script has been updated to return the resource key of a file or folder with the getResourceKey method.

Note: When fetching a file or folder, the resource key can be specified on the getFileByIdAndResourceKey or getFolderByIdAndResourceKey methods.

Changes to Drive UI Integrations
If your application is integrated with the Drive UI to create or open items, it will receive resource keys when your application is invoked from the Drive UI.

The state information for a New URL will contain folderResourceKey, which is the resource key of the folder where the new item should be created.
The state for an Open URL will contain a mapping of file ID to resource key in the resourceKeys field.
Learn more about integrating with the Drive UI on our website.

Which projects may be affected?
Your projects that have used the Drive API in the last 30 days and may be affected by this change are below:

googlesheets4-dev (robust-fin-276504)
gargle (gargle-169921)

To get help with these changes, see the Drive API support options on our website.

Thanks for choosing Drive API.

Sincerely,

The Google Drive Team

@jennybc jennybc changed the title forthcoming security fix for Google Drive URLs Resource key may be necessary to access certain shared files Oct 30, 2021
@jennybc
Copy link
Member

jennybc commented Oct 30, 2021

My current inclination is to sit on this until I have a concrete example of someone bumping up against it. I am not immediately able to get my hands on a concrete example of a file for which the resource key is necessary for API access. It is not practical to adapt to this change until I have a concrete example to work against.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants