If I publish a project as public web app, to receive and response only a few variables... is then the complete source code and maybe the used library visible to all users?
1 Answers
5
votes
No. Publishing the app, and file sharing are two different things. You can publish an Apps Script app as "Anyone, even anonymous" having access to the web app, but if you don't share the file with anyone, then no-one will have access to the code.
If you shared something like a spreadsheet file with someone, and they made a copy of the spreadsheet, then they become the owner of the copy of the spreadsheet, and all the code bound to the spreadsheet goes with the spreadsheet. In that case, you code would not be secure.
But, if it's a stand alone Apps Script, and you don't share the file with anyone, you can still give access to anyone to run the app with the published URL.
Lot's of people create Apps Script code bound to a spreadsheet, and may not realize that when they share the spreadsheet file, there is no way to secure their code.
A stand alone app is not bound to anything. That's the difference. Any JavaScript code in the HTML, of course, is open to the world. The only code that can NOT be viewed is the server side .gs code, in a stand alone app.
Unless your function names are private, someone who knows how, can get the names of all your functions, that are not private. But just because they have the name of a function, doesn't mean that they can get what the code is. (That I know of). But, someone could modify the HTML in the browser, and probably run a lower level function with google.script.run if they had the name of the function.
If you gave someone the Project Key, to use as a library in a file they owned, as soon as they put the new library in, they get an email with a link to the Library, which they can view. So, the issue is, whether they know the URL of the library or not. If they never know the URL of the library, they can't view it. (Unless they somehow guessed at what the URL was, and got lucky). But in the case of a Stand Alone Apps Script, that is a owned by you, and not shared with anyone, there is no need to give out the Project Key to be added as a library.
