Login/Register
Apps Script Private functions
Asked Answered
Solved google-apps-script
A

2

8

In Google apps script documentation, there is a page about Private functions on server side. That should explain that without private functions, the server code is visible from the user browser. Can anybody explain how you can see such server side functions in a browser ? Thanks

See : https://developers.google.com/apps-script/guides/html/communication#private_functions

Agler answered 12/3, 2015 at 15:38 Comment(0)
T
8

The server code is never visible on the user's browser, only the functions names. Private functions hides those names, but more importantly they remove the ability from the frontend to call them directly.

In other words, private functions allow you to define your backend entry-points, preventing a malicious user to bypass some checks you might have and call your "internal" functions directly.

To showcase how easy it is to see the name and call any non-private backend function, I've put up this example where we inspect the google.script.run object:

function myFunction() {}

function anotherFunction() {}

function privateFunction_() {}

function doGet() {
  return HtmlService.createHtmlOutput(
    '<p id="output"></p>'+
    "<script>var s = ''; for( var prop in google.script.run ) s+=prop+'<br>';"+
    "document.getElementById('output').innerHTML = s;</script>"
  );
}

Here's this example published: https://script.google.com/macros/s/AKfycbzk0d03iB1O3vVYVD_U7eONM357iOPlAn7RFxAeZKx34q1Ones/exec

And its source code (same as above): https://script.google.com/d/1WMY5jWblGl8U84WvVU_mZjHDg-6rGOoOPnKMF6m2bS_V-2g6IChBVDrg/edit

-- to address a question in the comments

The doGet function cannot be made private since its name is fixed/predefined. But that is not really a problem as this function is supposed to be an entry point anyways, and since you expect it to be called from the users' browsers and can do your parameters checks and such accordingly.

Tabescent answered 12/3, 2015 at 20:0 Comment(4)
Thanks a lot Henrique for this answer. Does that mean that only the names of the server-side functions can be seen but never the content of them ?Agler
Yes, that's right. But all "public" functions can also be called (that is, executed). So you should always check your parameters before doing anything (in such functions).Tabescent
so the doGet function is also made visible/public. There must be risk associated with this. You can't add a _ to the end of it so then all you can do is have the doGet function call a private function so its internal logic is not available to the client, right?Paba
Not really @IMTheNachoMan, the goal is not to hide the code/logic, that's hidden already. The _ trick is to disallow the frontend to call those functions directly, basically deciding which entry points you allow the frontend to use to start an operation. I'll edit my answer to try to clarify that.Tabescent
M
2

Using IIFEs with closures

counter.gs

const Counter = (function() {
  const count = 0; // Private variable

  function increment() {
    count++; // Accessing the private variable
    console.log('Count:', count);
  }

  function decrement() {
    count--; // Accessing the private variable
    console.log('Count:', count);
  }

  return {
    increment,
    decrement
  };
})();

main.gs

Counter.increment(); // Output: Count: 1
Counter.increment(); // Output: Count: 2
Counter.decrement(); // Output: Count: 1

In the code above, an IIFE is used to create a closure that encapsulates the count variable and two inner functions: increment and decrement. The count variable is private and can only be accessed by the inner functions.

The IIFE immediately executes, returning an object with references to the inner functions (increment and decrement). These functions have access to the private count variable due to the closure.

Masseuse answered 13/7, 2023 at 18:38 Comment(1)
Hopefully native JvaScript support for private class methods will be implemented soon. Here's the feature request.Pensive

© 2022 - 2024 — McMap. All rights reserved.