Sensitive data storage
355 views
Skip to first unread message
Venkata K
Oct 12, 2021, 8:22:46 PM10/12/21
to Google Apps Script Community
Wondering if anyone used PropertiesService.getUserProperties() to store sensitive user data e.g. PII, tokens etc? What are the security risks? Who can get hold of this data other than google? Appreciate any insights!
Venkata
Alan Wells
Oct 12, 2021, 8:40:54 PM10/12/21
to Google Apps Script Community
It depends on how you are deploying your app and who has access to the Apps Script file. Is it a Web App? Deployed as an addon? Bound to a Sheets file? As long as the user doesn't have edit access to the Apps Script file then the user can't run code to get data out of user properties. There is an issue of client side JavaScript in HTML script tags in sidebars, dialog boxes and web apps exposing server side Apps Script function names, and even though you can hide function names by putting an underbar at the beginning of the function name, you can't run a function from the google.script.run.functionName() API that has an underbar at the front.
So basically the issue is who can run the server side code.
Venkata K
Oct 12, 2021, 9:20:30 PM10/12/21
to Google Apps Script Community
Thanks for your quick thoughts. Script is container bound. I'm not worried about the function names. Wondering about security risk of storing Auth tokens in the user properties? Wondering if there is any guidance from Google on the kind of data that can be stored, who has access to the data in the user scope?
Alan Wells
Oct 12, 2021, 10:09:55 PM10/12/21
to Google Apps Script Community
The documentation is at:
Only strings can be stored.
The quota size is at:
Other than that, I don't know of any guidance about how to use it.
Venkata K
Oct 13, 2021, 11:54:44 PM10/13/21
to Google Apps Script Community
Thank you for the quota limits! Very helpful!!
I'm confused about 500 KB / property store. So 500KB for UserProperties is for all scripts combined for a specific user or for each individual script/user?
Similarly 500KB/DocumentProperties is for all scripts combined for a specific document or for each individual script/document?
Venkata
Alan Wells
Oct 14, 2021, 10:58:28 AM10/14/21
to Google Apps Script Community
How the total quota limit is applied depends on the type of Properties Service being used.
If it's document properties then the total limit is for one document.
If it's user properties then the total limit is for that one user.
And Script Properties is for one Apps Script file.
There are various other unique situations. Web Apps do not have Document Properties, they are not a document.
There is rate limiting that applies to how often the property can be accessed in a short period of time.
The exact rate limiting quota is not documented as far as a I know. You'd get an error message. If you get error messages then you need to write code to wait/sleep and then retry.
The key length for the property name is limited to 250 Characters.
Cache Service and Properties service have different total limits.
Use the JSON utility to stringify and parse JSON for conversion.
Reply all
Reply to author
Forward
0 new messages