admin
admin copied to clipboard
nodejs
Google calendar API key needed in nodejs.dev
Can someone add a GCal api key for the nodejs.dev repo to the Github secrets?
It's the last thing needed for this open PR.https://github.com/nodejs/nodejs.dev/pull/1713
The current key belongs to the dev that was working on this feature for demo purposes.
I'll need a bit more context in terms of the steps needed to get a GCal api key and how it where/how it needs to be added.
Initially, I thought adding it as a GitHub secret would work. I realized it would still expose the api key tho because we’re making the call from the client side. What if we utilized a firebase function and stored the key in fire store ? Kinda like the answer to this stack overflow
also, I think @brianwarner has the api key we’re looking for.
Expanding upon my idea, im thinking steps could be:
- Create a firestore database holding the API key
- Write a firebase function calling the Google calendar API and returning the events
- Call the firebase function from the
nodejs.devrepo
This gives us the advantages of not exposing the API key in a prod environment, its not stored in github at all, and if we add in more api calls that require authentication we can add them in as firebase functions.
@benhalverson @bnb @mhdawson thoughts?
Links:
In the future, this could be automated too using the APIs for firebase. We could update the firestore and firebase functions in a GitHub action for example. Maybe even store the firebase functions in the nodejs.dev repo. Then the only manual part would be adding API keys to firestore as we need to.
I'm not sure how the existing calendar works on nodejs.org, but do you even need any private information? In google calendar I can add the Node.js calendar to my regular view and then see all the Node.js items on my Calendar. This makes me think we don't need anything private. If we just created a new gmail, add the Node.js calendar to that user's calendar then from the user you should be able to get all of the calendar data? That may still need a gmail login, but for a user for which the only purpose is getting the calendar which limits the risk if the secrets are compromized.
nodejs.org uses an iframe to load a Google calendar. see https://support.google.com/calendar/answer/41207?hl=en# We moved away from that approach because a white calendar in dark mode looks terrible and we have no way to style an iframe on another domain. An attempt was made here.
We don't need any private info but to access any Google API requires a client API key. Docs
https://github.com/nodejs/nodejs.dev/pull/1713/files#diff-a1c19f3a31d5257820088c00fffd27fa4f5be820f4f9bdb71e057c86bbef3e35R37-R40
export async function getEvents(
calendarId: string,
maxResults = 1000
): Promise<GCalResponse> {
return gapi.client.calendar.events.list({
calendarId,
maxResults,
});
}
This code is getting the calendar list specifically for [email protected] which is the public calendar email from nodejs.org/calendar you can see this in the url.
This new way doesn't use an iframe and instead uses the Google calendar API directly with our own components. This allows us to make the calendar match the rest of the design in both light and dark mode.
We don't need any private info but to access any Google API requires a client API key. Docs
Understood, my question is why we need an API key tied to the the Node.js calendar. Can we just create a new gmail account, create an API key for that user and then use that to get the public calendar info? I agree we'd likely need to share/store the info/login for that user somewhere.
Hey Ben and Michael, I have the API key here if you want it. Sorry I missed these notifications, but it sounds like a secret isn't the right way to do it anyhow. Ben, maybe I should just email it directly to you.
On Tue, Sep 14, 2021 at 10:39 AM Michael Dawson @.***> wrote:
We don't need any private info but to access any Google API requires a client API key. Docs
Understood, my question is why we need an API key tied to the the Node.js calendar. Can we just create a new gmail account, create an API key for that user and then use that to get the public calendar info? I agree we'd likely need to share/store the info/login for that user somewhere.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nodejs/admin/issues/628#issuecomment-919215687, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOVQJRCWBJMQM2EKJS3BCTUB5NBLANCNFSM5DS6473A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
--
Brian Warner The Linux Foundation @.*** +1 724 301-6171
It appears to be scoped just to the Google Calendar API. I had to create it separately via GCP, but I'll be honest I don't know much more about how it will be used.
On Tue, Sep 14, 2021 at 10:47 AM Michael Dawson @.***> wrote:
@brianwarner https://github.com/brianwarner what all does that API key give access to?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nodejs/admin/issues/628#issuecomment-919222760, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOVQJUGBFSNLFR3CXWUPRDUB5N6PANCNFSM5DS6473A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
--
Brian Warner The Linux Foundation @.*** +1 724 301-6171
My key question is will it let you manipulate the calendar, I'm not sure we need to expose/store a key that does that versus just reading the calendar which I'm wondering should be possible without a API key tied to the account.
I found the Google Calendar API docs. From a quick skim it seems to be read/write: https://developers.google.com/calendar/api/v3/reference
On Tue, Sep 14, 2021 at 1:35 PM Michael Dawson @.***> wrote:
My key question is will it let you manipulate the calendar, I'm not sure we need to expose/store a key that does that versus just reading the calendar which I'm wondering should be possible without a API key tied to the account.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nodejs/admin/issues/628#issuecomment-919368185, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOVQJUO6ZKDDCXGL4J5T33UB6BWTANCNFSM5DS6473A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
--
Brian Warner The Linux Foundation @.*** +1 724 301-6171
If we utilize a firebase function, then it doesnt matter what the API key has access to
@lancemccluskey I still don't understand why it needs to be one that will have a higher level of access than read, which we could get through an API key on any account right?
I don't want to block progress but I also think we should reduce the number of high level access keys that we have across the org, the recent Travis incident shows that what should be private sometimes is not.
From what I can tell, the API key can only be issued through GCP, and is specific to the application (here, the themeable calendar) rather than the Google account. I think the way it works is that you can either use the default embedded Google Calendar view that's available to any account with minimal customization, or you can provision an API key from GCP to allow an app to request access to an existing Google account. I haven't been able to find anything in the middle, unfortunately, aside from limiting the key to the Google Calendar APIs in general. I'm admittedly not that familiar with the GCP console though, so if someone else knows I'm happy to take a look.
On Thu, Sep 16, 2021 at 9:28 AM Michael Dawson @.***> wrote:
@lancemccluskey https://github.com/lancemccluskey I still don't understand why it needs to be one that will have a higher level of access than read, which we could get through an API key on any account right?
I don't want to block progress but I also think we should reduce the number of high level access keys that we have across the org, the recent Travis incident shows that what should be private sometimes is not.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nodejs/admin/issues/628#issuecomment-920903225, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOVQJT7SWT6YL6L5BIH5RLUCHWJFANCNFSM5DS6473A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
--
Brian Warner The Linux Foundation @.*** +1 724 301-6171
I don't want to block forward progress but one last comment to provide context from where I'm coming from.
The existing automation that creates the meeting issues is driven off the calendar. You can see it calling calendar.events.list in https://github.com/nodejs/create-node-meeting-artifacts/blob/412a306e2135fdba9acff0db81281cdcf5e71b66/create-node-meeting-artifacts.js#L60.
Where I'm coming from is that automation uses my account so no API key from an account tied to the Node.js project.
Now having said that, it does use my personal account and I have read/write access to the calendar so maybe the is the only reason it works. I was thinking anybody could add the Node.js calendar and the have read access to the calendar. If that's not the case then the API key is the way to go as there is no point creating an account with escalated privileges as that would probably worse than just providing an API key.
@mhdawson Thats a good point. Youre right, we only need read permissions. Since the calendar is already public, I wonder if theres a way to get the events without an API key. I'll dig into that and see if i can come up with anything.
Eureka!! @mhdawson I found this https://developers.google.com/calendar/api/v3/reference/events/list, and it says authentication optional. Since we only care about reading the events I think this is def the way we should go. I'll keep digging and see if theres anything else I can find.
Ok I think most of us misunderstood before, the API Key ONLY lets us use the endpoints that dont require authorization. The Google Calendar endpoints require OAuth2 authorization to make changes
https://user-images.githubusercontent.com/40124399/133770620-9693fc4b-81fa-4e58-ab23-b1f7108a51c2.mp4
.
Also
Here is the client side JavaScript library we are using to access the API and it clearly states that the API Key is used for unauthorized access to the API.
In addition, we can restrict the API to only be called from our nodejs.dev website. You can see in the screenshot below where you authorize API key.
@benhalverson @brianwarner @mhdawson This makes me think were fine to just include the API Key in our repo since we can render it useless if used outside of nodejs.dev. Even if someone figured out a way to use it it wouldn't work to edit the calendar since calls made with an API key are considered "unauthorized". Thoughts?
@lancemccluskey. That clarifies thing a lot, assuming we restrict to nodejs.dev then using the API key makes sense to me.
I think we would still want to store the key in a way that it's not public. So not in the repo, but on the server where we host nodejs.dev itself? Does that make any sense?
How where is the API key needed and how/where is nodejs.dev deployed? I know were nodejs.org is deployed and can log in there but have never looked at the same for nodejs.dev
Hey folks, do we still need updates here? 👀
Basically, just to give context, we would use the key for using the G Calendar API for the Node.js Calendar page (Where we can see all the meetings of the Node.js project)
@mhdawson I think we can close this for now. By checking the API docs, doesn't seem like for now we need an API key.