AppsScriptPulse

Guide to completing Casa Tier 2 Security Assessment for Google Apps Script (and how to scan your Google Apps Script project for CASA)

If you want to publish your Google Apps Script project on the Google Workspace Marketplace, or if you already have an add-on or app on this marketplace and are using authorization scopes which are now restricted, you will have to go through a TIER 2 CASA security assessment.

Previously in Pulse we have shared ReDriveApp: A new Google Apps Script library to replace DriveApp and restricted scopes. If your Workspace Add-on still requires restricted scopes then you are going to have to think about the next steps and options. One option is going through the enhanced verification process, which requires a Cloud Application Security Assessment (CASA).

If you would like an overview of the process from a developer’s perspective you are in luck as Kelig Lefeuvre (Product Engineer at Scriptit & Folgo) has shared a guide specifically with Apps Script developers in mind. The article includes a number of useful tips and information about the review process which you won’t find in the official documentation.

As part of the CASA process Kelig recommends using the option to  you can submit bypass the Fortify scan and submit your own results. those results Kelig has also provided a second article with a step-by-step guide on ‘how to scan your Google Apps Script project for CASA’.

Source: Guide to Completing Casa Tier 2 Security Assessment for Google Apps Script & How to scan your Google Apps Script project for CASA

🔒Preventing Cross-Site Request Forgery (CSRF) in Google Apps Script Dialogs and Sidebars 

 

If you are looking to publish a Google Workspace Editor Add-on, you may need to consider upping your security with an anti-CSRF token.

Scott Donald has shared some really useful information about protecting your Google Workspace and Apps Script data from malicious websites using anti-CSRF tokens. Google is currently in the process of reviewing Google Workspace Add-ons which means for many restricted scopes in Google Drive developers need to complete CASA Tier 2 security assessments, which require anti-CSRF token.

For more context CSRF attacks are a type of cyberattack that can allow hackers to trick your browser into sending unwanted requests from your account, such as making purchases or changing your settings. This can put your data and privacy at risk.

Anti-CSRF tokens are a simple but effective way to prevent these attacks. They work by generating a unique ID for each user session, which is then included in all requests sent to Google Workspace and Apps Script. This way, the server can verify that the request is legitimate before processing it.

Implementing anti-CSRF protection is relatively easy and this tutorial from Scott explains have you can implement it in your Google Workspace Editor Add-on.

Source: Preventing Cross-Site Request Forgery (CSRF) in Google Apps Script Dialogs and Sidebars – Yagisanatode

ReDriveApp: A new Google Apps Script library to replace DriveApp and restricted scopes 

Apps Script class that provides equivalent methods offered by the built-in DriveApp, but that does not require use of full ‘/drive’ OAuth scope (which is a “Restricted” scope”). Instead, uses only these Recommended (non-sensitive) and/or Sensitive scopes

When you use OAuth 2.0 to get permission from a Google Account to access their data, you use strings called scopes to specify the type of data you want to access on their behalf. For Google Workspace Add-on developers wanting to distribute your app in the Google Workspace Marketplace one consideration is only using the scopes required for your app. In the case of Google Drive a number of the scopes are classified by Google as “restricted”. To use “restricted” scopes there is an enhanced verification process, which requires Cloud Application Security Assessment (CASA) by an independent security assessor, which come at a cost and can be time consuming.

ReDriveApp is a new Apps Script community library published by Dave Abouav which makes it easier for developers to use reduced recommended scopes for integrating with Google Drive. As explained by Dave:

The built-in DriveApp service is an easy and powerful way to interact with Google Drive in your Google Apps Script projects, which is why so many developers make use of it. It’s one downside is that it forces your project to use the full ‘/drive’ OAuth scope, which is a “Restricted” scope.

In many cases though, projects don’t really need the full /drive scope for common tasks, and the Recommended /drive.file scope is sufficient. This allows your project to create new files, and open existing files if authorized by the end-user via the Drive Picker. Using it also avoids the aforementioned security review, and is less alarming to users when authorizing your app.

ReDriveApp is still work-in-progress and not an official Google project. There are a number of methods that still need to be implemented, but the project is open source and can be contributed to on GitHub. If you are planning or have already developed a Marketplace Add-on that has stalled due to enhanced verification for restricted scopes it could be worth looking at and contributing to this library.

Source: GitHub – ReDriveApp

Creating a usage dashboard for your Google Workspace Marketplace Add-on with LookerStudio, BigQuery and Logging Sinks

Flubaroo Add-on Dashboard

At the moment, Add-ons in Google Workspace offer only basic usage analytics via the Workspace Marketplace SDK. These include install data broken out by domains and seats (for Add-ons installed by Workspace admins), and individual end-user installs. This is useful information, but doesn’t tell you much about who is actively using your Add-on, nor give you the ability to breakdown that usage by different dimensions.

The code and instructions in this repo will help you gather and visualize Add-on usage data, such as active usage of your Add-on broken out by user characteristics. It also shows you how to log specific events that correspond to use you want to track (i.e. new installs, uses of particular features, etc).

Here’s a useful solution for Google Workspace Add-on developers who would like more actionable insight into their Google Workspace Add-on usage. This isn’t an official Google solution but comes from the creator of the very popular Flubaroo add-on, Dave Abouav.

The solution includes a Google Apps Script helper snippet which enables your add-on to ‘call home’, or in this case into Cloud Logging, with basic user metrics as well as other events you would like to log. The project also details how you can route usage logs from Cloud Logging into BigQuery by creating a ‘sink’ in Google Cloud Log Router.

The final step is creating a LookerStudio dashboard to visualise the BigQuery data. As noted by Dave there is a cost to using BigQuery for long term storage and querying, which should be kept in mind. More details in the source link below.

H/T to Chanel Greco for highlighting this solution.

Source: Instructions for creating a usage dashboard for your Google Workspace Add-on

The Ultimate Guide: Marketing a Google Workspace Add-On

Marketing a Google Workspace Add-On is a comprehensive guide advises developers on best practices for marketing a Google Workspace add-on.

This post comes thanks to John McGowan, Automagical Apps, who has worked with ALK Digital Marketing to develop a marketing strategy for Google Workspace Add-ons. The guide has lots of useful tips for understanding the Google Workspace Marketplace and developing optimised marketing resources for the Workspace Marketplace as well as other channels including your website, social media and email marketing campaigns.

There is also some guidance on how to approach monetization of your add-on which includes balancing free rials, paid subscriptions and adaptive pricing. This will likely change dependent on the type of add-on you are creating and the value it brings to users. Follow the source link to read more..

Source: The Ultimate Guide: Marketing a Google Workspace Add-On – ALK Digital Marketing Solutions

Adding charts to Google Workspace Add-on sidebar with Google Apps Script

Creating dynamic charts in the sidebar of your Google Workspace Add-on can be an effective approach to getting across a lot of meaning in a somewhat confined space. In this tutorial, we will use Google’s Chart API to generate a live chart, first from some static data and then live from an external data source like a Google Sheet. All with the help of a little Google Apps Script magic.

Here’s another great tutorial from Scott Donald which provides a detailed tutorial for including charts in a Google Workspace Add-on using the Card Service. The tutorial covers how you can embed dynamic chart data from a Google Sheet. Whilst targeted at Google Workspace Add-ons (Gmail and Drive) you should be able to easily modify this for cards used in Google Chat. The source tutorial includes a video giving an overview of the solution and if you want to take this project further you can signup for Scott’s Create and Publish Google Workspace Add-ons with Google Apps Script: Master Class.

Source: Adding Charts to Google Workspace Add-on Sidebar Apps with Apps Script – Yagisanatode

5 steps to deploying Google Workspace Editors Add-ons to the Google Workspace Marketplace

This guide is not documentation, but a condensed reminder of what you must do.

Max Makhrov has put together this very succinct guide to publishing Google Workspace Editor Add-ons to the Google Workspace Marketplace. As explained by Max the guide isn’t a step-by-step tutorial, but instead provides the key steps you should remember to do. There are some great tips in this post, particularly around what to include in the recorded screencast required by the Google oAuth verification team.

Source: 5 STEPS to Deploy Google Sheets External Editors add-on

A Google Workspace Developer’s notes on publishing a Google Workspace Add-on to the Marketplace

 

This guide will walk you through creating a public Google Workspace Add-on, and launching it in the Google Workspace Marketplace for as free as possible. …

I’d never developed or published an add-on before. As I was looking into it, I realized that, while it is not super complicated, it is not readily obvious — especially for anyone just getting into add-on development. Google does have a guide on developing and publishing an add-on but it leaves a lot of unanswered questions.

So I thought I would put together what I learned in this guide — a playbook for anyone else who wants to develop their own add-on.

Following on from a recent Pulse post on How to publish to the Google Workspace Marketplace published by the Google Workspace team, here’s a developer’s take on the process from start to finish. As mentioned in the post the official support resources should be your start point, but these notes spotlight some of the nuances required to publish an add-on and the appendix includes some tips on naming your add-on and where/how to host required documentation including your add-on privacy policy.

Source: Developing a GAS Powered Google Workspace Add-on And Launching It To The Marketplace

Creating your on preview ink Smart Chips in Google Docs: The Untold Potential of Apps Script

 

Alright, folks, we’re talking about something quite hot off the press in the realm of Google Apps Script — “Smart Chips.” This feature is available within Google Docs and can build previews of pasted links using the Card Service. Think of it as a little preview window of what lies beyond the link — a sneak peek, if you will. 🕵️‍♂️

Editor: Smart chips are a recent feature in Google Workspace that help you quickly insert information into your Docs and Sheets. They can be used to insert people, places, dates, and more. It’s also possible for Google Workspace developers to publish their on ‘Preview links’ smart chips as Workspace Add-ons. In this post from Dmitry Kostyuk you can learn about publishing your own smart chips and some creative ways to get the data you need using Google Apps Script.

Source: Previewing Links with Smart Chips: The Untold Potential of Apps Script

How to publish to the Google Workspace Marketplace [Video Tutorial]

In this video you will find out how you can publish your app to the Google Workspace Marketplace.

Publishing a Google Workspace Add-on or Chat App can be a bit daunting. We’ve feature a couple of ‘how-to’ guides, which go into the detailed steps of the process, and my favourite has to be Alice Keeler’s top tips for getting your Google Workspace Add-on published. If you are still unsure about the Google Workspace Marketplace publication options and information required this video from Chanel Greco gives an overview of the entire process from start to finish.

Source: How to publish to the Google Workspace Marketplace