Hey there! I’m wanting to add an “authorisation flow” into my application where a user authorises the app to manage their Gmail account. I’ve watched this video RedwoodJS Authentication in 5 minutes - YouTube and think I can use some bits of it. I’m not looking to create a user however, but to retrieve their keys so I can store on my database and later be able to use with the gmail api.
Am I approaching this correctly? Can you make a recommendation as to a resource I can read about doing something like this, where I effectively integrate with another API?
I’ve found this but Gmail’s API is slightly more intricate.
Just wanted to pop in here real quick. You’re gonna need to look at googles oauth flow and follow their instructions. You wont be storing any “keys” in your database. All of this will happen client side (web).
The way this would work (and oauth2 generally) is that you’ll ask google for a token on behalf of the user with the permissions you want the user to allow you to have (gmail in this case… it goes deeper than just that btw), the user gets directed to an auth page on googles side with a list of what they’ll give your app permissions to. When they accept, google will call your app at a “callback url” and will give you a JWT (a token with special metadata) that you’ll then use to make api requests on behalf of the user. This JWT has an expiration so it wont work forever. You will get another token with the main one called a “refresh token” that you can hang on to. This is most often stored in the browser as a cookie. I believe redwood has some interfacing with that. The refresh token will let you skip the step of asking for permissions again (if certain criteria are met… like the user hasnt revoked permission or their session hasn’t expired).
There’s a lot of moving parts here and most of it is outside the domain of redwood. The link you posted about external api requests is good info, and you can use that for sure.
I would start with a tool like postman to test out google requests / flow without struggling with the app. Once you can make a good request, take a small bite of the next step, the callback endpoint. I’m sure you’ll have questions along the way.
It’s best to take these kinds of things in the smallest steps possible.
Use postman to get Your Own accounts’ token
Get Your Own token in the app (just code up the most basic request you can using what you’ve learned from postman to get a token)
Hook up a callback URL that will accept googles response with the tokens and a button for the user to click and send them to googles auth page.
Wire up something you want to do with the API - get all emails or something.
Save the refresh token in the browser’s session cookie (not your own db).
Before that api call, check if the JWT is expired. If it is use the refresh token to get a new one. If it’s not expired then use it.
I also replied in Discord, and want to share this link because it is very, very important to me that data privacy and rights is respected when integrating with third party apis like Google and Gmail that developers and products need to be honest and forthcoming about.
Please read and fully understand the scopes of permissions one can be given here:
Google will (thankfully) require verification for the more sensitive actions.
But, if the user grants you permission to read mails – then anyone with that token/access key can read all your mail – or act as you.
And that is a huge responsibility it terms of trust and also what you do with Personal Data and information and how you store or otherwise use it.
Thank you!! I should be covered as definitely not looking to store PII information and only intend to use the Basic Scope (https://www.googleapis.com/auth/gmail.settings.basic) which in the description says: Manage basic mail settings., so literally just the stuff you see when you go into your Gmail settings and go under General. Here’s the user-facing description: See, edit, create or change your email settings and filters in Gmail