Switch to using non-restricted drive.file permission for Google Drive

Switch from using the sensitive/restricted `https://www.googleapis.com/auth/drive` scope to the non-restricted `https://www.googleapis.com/auth/drive.file` scope. The latter allows our app to only access files that have been shared via the Google Drive Picker, whereas the former allows access to all files. For this to work, the OAuth client ID needs to be passed when configuring the picker, so that the selected file is later made available for use with the Google Drive API client. See https://stackoverflow.com/a/58175142/434243. Fixes #1333
hypothesis · Jun 17, 2024 · bdc131b · bdc131b
1 parent eeb9dd6
commit bdc131b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/lms/static/scripts/frontend_apps/utils/google-picker-client.ts b/lms/static/scripts/frontend_apps/utils/google-picker-client.ts
@@ -4,7 +4,7 @@ import {
   loadIdentityServicesLibrary,
 } from './google-api-client';
 
-export const GOOGLE_DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive';
+export const GOOGLE_DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive.file';
 
 /**
  * Convert a domain (example.com) into a valid web origin (https://example.com).
@@ -199,6 +199,7 @@ export class GooglePickerClient {
     const picker = new pickerLib.PickerBuilder()
       .addView(view)
       .addView(new pickerLib.DocsUploadView())
+      .setAppId(this._clientId)
       .setCallback(pickerCallback)
       .setDeveloperKey(this._developerKey)
       .setMaxItems(1)

diff --git a/lms/static/scripts/frontend_apps/utils/test/google-picker-client-test.js b/lms/static/scripts/frontend_apps/utils/test/google-picker-client-test.js
@@ -15,6 +15,7 @@ function createGoogleLibFakes() {
   const pickerBuilder = {
     addView: sinon.stub().returnsThis(),
     build: sinon.stub().returnsThis(),
+    setAppId: sinon.stub().returnsThis(),
     setCallback: sinon.stub().returnsThis(),
     setDeveloperKey: sinon.stub().returnsThis(),
     setMaxItems: sinon.stub().returnsThis(),
@@ -182,14 +183,15 @@ describe('GooglePickerClient', () => {
   });
 
   describe('#showPicker', () => {
-    it('requests authorization and sets token used by picker', async () => {
+    it('requests authorization and sets credentials used by picker', async () => {
       const client = createClient();
       client.showPicker();
 
       await fakeGoogleLibs.pickerVisible;
 
       assert.ok(fakeTokenClient);
       const builder = fakeGoogleLibs.picker.api.PickerBuilder();
+      assert.calledWith(builder.setAppId, '12345');
       assert.calledWith(builder.setOAuthToken, 'the-access-token');
     });