Does using Companion needs OAuth API App Verification? #2288
Comments
arturi
added
the
Companion
|
Google requires an app review for apps who use Restricted and Sensitive scopes. Companion requires the drive.readonly scope Looking at this list of Restricted scopes, you'll find the So I'm afraid yes, there'd be a need for Google to review your app in order to verify it. |
|
closing based on the comment above ☝️ |
|
Sorry to revisit an old thread, but part of the verification process involves running a vulnerability scanner on the application using Google Drive. Looks like a static analysis of the code would be fine, but I'm a little confused on how much I need to scan. Has anyone here scanned Companion and gotten through the verification process? (If there's somewhere else I should ask this, please direct me.) I installed Companion and scanned it (along with its node_modules folder) with Fluid Attacks. After taking hours to complete, it reported 208 vulnerabilities. Some of these were related to libraries that won't be used at runtime (e.g. grunt, uglify). However, in order to meet Google's requirement, all vulnerabilities reported by the scanner need to be fixed. This would include vulnerabilities in Express, Lodash, Moment, and others. Looks like upgrading some of the dependencies would resolve the issues, but I don't know what, if any, issues that might cause. Here's part of the email I received from Google:
|
|
This has taken weeks/months to get to the point of requiring the scan @cognettings mentioned. I wish I had known about that added requirement previously. Based on the experience I've had here, I'd never recommend Uppy. There should be a way to reduce the scope. Based on Google's review process, drive.file would have been a sufficient scope for our project, but there's no way to change. If Uppy could fix that, I'm sure they'd be in better shape in terms of growth/popularity. |
|
We're currently in the verification process to get approved for the The
@ifedapoolarewaju Would it be possible to add a config to choose between |
|
The docs for Drive's api scopes seem to suggest that
Since Uppy/Companion didn't create the files in Drive they wouldn't have access. Though, "open" seems ambiguous to me. Maybe it mean "opened from a local source then saved to Drive"... Anyways my current, hopefully temporary, solution is to extract the Drive provider from the Companion server and run it as its own server which posts the files to my main web server to be uploaded to S3. I'm aiming to isolate as much of the Google Drive stuff as possible so there won't be much to scan (the scanner keeps reporting vulnerabilities that I'm not sure how to fix). So, in the end, I'll have three servers: web server, companion server, companion server for Drive. Web server proxies the companion routes to the companion servers. I think this should all work but this whole process has felt kind of...icky? |
|
I understand everyone's frustrations but note there is nothing we can do to reduce the scope. In order to download files, we need at least Note that you can use Companion with Transloadit credentials so you can go to production immediately. But be aware that users might be confused if they see "Transloadit" requesting access rather than your company name. Lastly, we'll try to come up with some sort of report that could be used by everyone to smoothen the verification process. |
|
A report of some kind to help fast-track the verification process would be great to have! Personally I don't mind users seeing "Transloadit", but unfortunately it's not my decision at the moment. Additionally, I would like to say that Uppy/Companion are pretty damn awesome and I appreciate all the hard work going in to it! I think my frustration is more due to having everything else ready to go, but others not wanting to release until Google Drive is ready too. |
|
I now see why the @Murderlon Thanks for the suggestion to use the Transloadit credentials, that could be a temporary solution while we're waiting for the verification process with Google. Maybe helpfull to add a warning to the Google Drive docs mentioning: to use the Google Drive Companion Plugin, you have to complete the verification process with Google for the |
|
Created an issue for it: transloadit/uppy.io#181 |
|
@markjongkind Has your verification process been done? |
We've put the verification process on-hold and will reevaluate everything next month. |
|
Hey all, in case anyone was looking for options on working around Google Drive for the time-being. My current solution involves using the Google Picker API. Luckily that API doesn't require my application to go through the security assessment. So when the Drive icon is clicked, I open Google's Picker UI instead. I have it communicate with the Uppy Dashboard to show upload progress to my server (instead of Companion) for uploading to S3. The other providers work as normal and communicate with Companion. It works well enough for right now. More info (and screenshots) on the Uppy forums. |
|
+1 for this @cognettings. Hey @mifi could we possibly get an implementation of the Google Picker UI or an option to do so client side? @cognettings has already wrote some great code for it, that seemingly just works. Since we can't really get around using the |
|
It's not a priority at the moment but if someone creates a community plugin we would be happy to link to it. We'd also happily accept a PR to add it to our code base as a different plugin. |
Hi Team,
Google is making Google Drive to be a restricted scope for accessing Drive API.
https://support.google.com/cloud/answer/9110914
We plan to use Uppy and companion to allow users to upload media files from their Google Drive folders. Does it also require app verification / approval from Google if companion is hosted on Google/Aws serverless platform?
If the app consent screen is not approved by Google, it will show as "App Unverified" on the consent screen and the user will not give access.
So, does Google's verification still applies to Companion or is there a way out?
Please help.
The text was updated successfully, but these errors were encountered: