Hi there, I would like to know if it is possible to add user to the share list with an API call. That would be a fantastic feature if we can call it from a script to add a user’s email to that list. Right now we have to do that only from within the AppSheet editor. Not feasible to scale without domain locking or google groups. The thing is users need a google account to be part of the google group so AppSheet can verify. I don’t think it should take too much effort if we can just maintain that list using API not google groups or domains. Thanks!
2 Likes
+1
Been wanting an API to manage User Allowlisting for years!
1 Like
It’s been asked. I’m sure the reason for hesitation is hacking attempts. Once you expose a feature through an API, hackers will find ways in and the last thing any of us need is for unauthorized users to be injected into our apps!!
An alternative is to use Workspace accounts and manage user access through a business domain. I.e. any user with a valid email address of a matching domain can access the app. No need to update the white-list.
Presently, you CAN configure the app to NOT require sign-in but still require authentication through an app specified provider (no white-list needed). However, anyone who gets a link to the app can access it with a qualified provider. You can build into the app a Users table of the “allowed” users then show/hide views based on if they are listed in the Users table. This is obviously less secure.
I hope this helps!
3 Likes
Well I would like to politely disagree. if an API can manipulate records of a table securely the same API is secure enough to manage a simple user list. I do have other solutions. I am baking in manual log in thru OTPs but that is not my point. I am using a domain approach and google groups approach too for one of my projects. It is not about security because an API key is not easy to guess and we can easily call it thru a script which never exposes the key to strangers but to only the URL it is talking to. very hard to know what a script contains without looking at the code. I do appreciate your willingness to provide solutions. Thanks!
2 Likes
Not the same at all.
A white-listed app will not allow an unauthorized user to make data changes. Even if someone did find a way to tunnel into the app API, they would be limited to the functionality provided by the API itself - which is usually a select set of functionality.
Most hackers gain access through discovered credentials. Today Two Factor authentication (2FA) fights that.
But if an unauthorized user found a way to give themselves app access, they have full reign to EVERYTHING in the app. They may even go undetected for some time as an actual authorized user - especially in apps with many users. Not even 2FA will help protect against this kind of attack.
1 Like