Google Drive API - limit API access to single folder?

10
votes

My app uses Google Drive API to read files that a user has uploaded to their Drive storage area, and to write files and folders into this same directory. The user logs in with their own account/credentials.

My current understanding is that the only scope (access level) available for me to use in this case is "full drive access".

Is this a correct statement?

Dropbox supports an "Apps" folder where I can use their API to read/write, while being restricted to my own area. I'm surprised that Google doesn't offer something similar, as my users may not want to grant read/write access to their entire Drive storage, when all I need access to is a single directory (and all sub directories within, whether I create or user creates).

To provide a little more info, my app is a flashcard app. I want users, at a minimum, to be able to upload spreadsheets with data to be read in by the app. But users would like it if I didn't need full access to all their data.

2
google-drive-api
Although I'm not sure whether this is useful for your situation, If you want to make users access to only the files created by your application, how about this? The official document says that for the scope of https://www.googleapis.com/auth/drive.file, View and manage Google Drive files and folders that you have opened or created with this app. If this was not useful for your situation, I apologize. - Tanaike
Thanks Tanaike . Yeah, I'm aware of this scope, but I need to be able to read files that users have uploaded outside of the app (which this scope doesn't support). Because I want to read user create files, it seems user/Drive must grant me full access to their entire library. - Ernie Thomason
Thank you for replying. I apologize my comment was not useful for your situation. If my understanding for your situation is correct, for example, when the file is uploaded to user's google drive, how about sharing the file to your account or service account? By this, only the file can be accessed. If I misunderstand your situation, I apologize. - Tanaike
That might work for transferring a single file. Having them enter another account name to share with seems clunky, and getting hundreds/thousands of shares and finding their files with API all seems troublesome. One user wondered if they could paste a shared link into my app. While that works outside of an API with a personal account, I don't know how that works from an API perspective. While this kind of approach could maybe potentially work, it's not path I want to consider at this time. I'm more interested in straight API access from a single user account. - Ernie Thomason
I apologize that my comments were not useful for your situation. Can I ask you about I'm more interested in straight API access from a single user account.? Do you want to make access users to user's Google Drive using each account? Or do you want to make access users to user's Google Drive using only one account? - Tanaike

2 Answers

5
votes

I think the simple answer is... Google Drive doesn't have an "Apps" directory like Dropbox or OneDrive, and if an app want access to files the user uploaded to Drive, the basic way is for the user to grant access to ALL files in Drive.

The "drive.file" scope might work for some since it appears to give access to individual files that the user OK'd. How does the user OK a file? According to the post below, they would send a file from the Drive app to my app.

Google Drive api scope and file access (drive vs drive.files)

I think these are the only two permission options to read user's files using the Drive API (without using a service account).

0
votes

There is the Application Data folder for this purpose.

To limit an app's access to its folder only, you can set

const SCOPES = "https://www.googleapis.com/auth/drive.appfolder"

Read more here: https://developers.google.com/drive/api/v2/about-auth