Learn-to-send-email-via-google-script-html-no-server: How to stop fork SPAM?

Created on 5 Nov 2017  路  5Comments  路  Source: dwyl/learn-to-send-email-via-google-script-html-no-server

How safe would my spreadsheet be if somebody forked my GitHub pages repo using this system or otherwise used the same code?

Given the API key is in HTML, anybody can send data to my spreadsheet even if it is private. I'm a little worried about this.

Are there any known solutions? 馃槄

Most helpful comment

Thank you for explaining. Makes perfect sense. 馃憤

All 5 comments

Many pages on the web are public and this could be copied as well, unless if you obfuscated it in some way. This is because that API key is pushing data into the spreadsheet as your Google account when you give it permission.

For spam on the page itself, you can see our tutorial on how to add a hidden field to detect certain bots (called a honeypot), or implement a captcha mechanism.

You could require people to have a Google account to submit information. If you want to do that, I would implement it as a Google Form or something similar, but at that point you need a different setup most likely, or pay for such a service. This mechanism of storing data into Google Spreadsheets through Google Scripts here requires that API key be available to the client somehow.

Yeah, I'm concerned in case people fork the github pages site and keep the API key to my spreadsheet. So I guess what you are saying is that if they did there would be nothing I could do BUT that's it's also not a big deal, correct? 馃槃

IF someone did that, then you could copy your own spreadsheet and re-enable permissions to get a new API key (there may be other ways to regenerate the API key), then delete the old spreadsheet or just disable its key.

So it is possible to disable that API key if need be.

We actually have that issue with our own demos. I recently had to disable the email pushing on the demos since people might have been using our API key just to get emails sent to themselves, at least if you allow the email to get set clientside / in the HTML rather than on Google Scripts.

Thank you for explaining. Makes perfect sense. 馃憤

I have thought of a solution of sorts to this. You can pass {{ site.github.repository_url }} to your spreadsheet, e.g.:

<input id="url" name="url" style="display:none" value="{{ site.github.repository_url }}" />

So if somebody does fork your form you can filter out anything that doesn't come from your own github pages repo.

Was this page helpful?
0 / 5 - 0 ratings