plugin-hub icon indicating copy to clipboard operation
plugin-hub copied to clipboard

Published 20 hours ago verified publisher icon runelite

Update "Dude, Where's My Stuff?" to v2.7.0

Open Thource opened this issue 1 year ago • 4 comments

Release notes: https://github.com/Thource/dude-wheres-my-stuff/releases/tag/v2.7.0

Thource avatar Jul 06 '24 23:07 Thource

Includes non-plugin changes

dude-wheres-my-stuff: 749e63ef6871ae27d45b5ac401e1b716e1c95fae...19dc452292300d48d96ce0fa14a905ee6409c875

runelite-github-app[bot] avatar Jul 06 '24 23:07 runelite-github-app[bot]

Sorry, trying to create a PR for hotfix and accidentally pushed to this branch

Thource avatar Aug 14 '24 18:08 Thource

@Thource as a reminder you pushed this branch to have no changes, also I pushed this plugin back 1 commit to before the cat_h changes, just so you are aware when/if you resolve this PR.

Felanbird avatar Aug 28 '24 20:08 Felanbird

Thanks @Felanbird, I believe this should be ready now

Thource avatar Sep 14 '24 19:09 Thource

Is there a reason you need the newer gsheets dependency? Does v4-rev581-1.25.0, which is already approved, no longer work?

LlemonDuck avatar Nov 12 '24 03:11 LlemonDuck

We thought it’d be best to use an updated version, rather than the 2019 version. See here: https://discord.com/channels/301497432909414422/419891709883973642/1259902701165351053

On Nov 12, 2024 at 3:20 AM, <Rhea @.***)> wrote:

Is there a reason you need the newer gsheets dependency? Does v4-rev581-1.25.0, which is already approved, no longer work?

— Reply to this email directly, view it on GitHub (https://github.com/runelite/plugin-hub/pull/6252#issuecomment-2469511378), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AA7KA5KPTSWQPUFBMK76XKL2AFXXVAVCNFSM6AAAAABKOZZN7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRZGUYTCMZXHA). You are receiving this because you were mentioned.Message ID: @.***>

Thource avatar Nov 12 '24 09:11 Thource

We tried to downgrade our google-api-services-sheets to the already accepted version, but doing this would have meant that the plugin users would need to create their own Google API keys and paste them into the plugin config, rather than just using Google's OAuth flow, which does not seem like a good user experience.

We believe the best option for the plugin is to add these new dependencies, rather than the alternative.

Thource avatar Feb 07 '25 22:02 Thource

this is not supposed to be public https://github.com/Thource/dude-wheres-my-stuff/blob/19dc452292300d48d96ce0fa14a905ee6409c875/src/main/resources/credentials.json#L8

abextm avatar Feb 08 '25 02:02 abextm

this is not supposed to be public https://github.com/Thource/dude-wheres-my-stuff/blob/19dc452292300d48d96ce0fa14a905ee6409c875/src/main/resources/credentials.json#L8

Hey, chiming in as the person who worked on this and had this discussion with Thource too. We actually scoped this as a native app which means the client-secret is actually not treated as sensitive on Google's side since it needs to be deployed with the application (and so the user would have access to it).

From their docs:

Installed apps are distributed to individual devices, and it is assumed that these apps cannot keep secrets. They can access Google APIs while the user is present at the app or when the app is running in the background.

The desktop app requests no restricted scopes which means that the key is unable to list or search for any of the sheets it creates. This means that someone with these creds can only access documents that they know the sheet ID of (which is on the order of UUID levels of difficulty to guess) and that the current authenticated user has access to.

"While the user is present" is guaranteed by the Google Auth Flow. The auth flow in this case is the user gets a browser opened to auth with the Dude Where's My Stuff App, they complete the auth, and now the plugin is able to create and modify the spreadsheet provided assuming the authenticated google account has access to the sheet id provided (if no sheet id provided, it creates one).

We did consider storing the secret on a secret store of some kind and retrieving it, but ultimately the secret is still going to be on the users machine (either in memory or in the jar), so it doesn't seem worth the hassle. The worst case scenario, we could surmise, is that someone decided to impersonate the app, which still requires the user to go through the oauth flow, and even if they do they will find they can only modify new google sheets that the app has created and that they already know the id of. Ultimately doing that would just be obfuscation, not really "security".

It's probably ideal for it not to be in plain text... but I am not sure we gain much by obfuscating it either.

Just wanted to share the context.

jaybyrrd avatar Feb 08 '25 02:02 jaybyrrd

Hmm, OK. I would expect Google to use a pkce flow without a client secret, but the docs seem to indicate otherwise, so that is okay I guess. Obfuscating it wouldn't be useful or add anything, so this seems fine.

Do you know its excluding grpc is possible? It looks almost entirely unused.

abextm avatar Feb 08 '25 03:02 abextm

So I just confirmed it is on the runtime classpath for the google api client and http client.

I recall us trying to remove it and it causing the integration to totally fail. I dug up the chat here which confirmed we couldn't remove opencensus. I wanted to make sure about grpc, so I went ahead and tried again.

When I add:

        exclude group: 'io.grpc'

the application ultimately fails with:

java.lang.NoClassDefFoundError: io/grpc/Context
	at io.opencensus.trace.unsafe.ContextManagerImpl.currentContext(ContextManagerImpl.java:30)
	at io.opencensus.trace.unsafe.ContextHandleUtils.currentContext(ContextHandleUtils.java:56)
	at io.opencensus.trace.CurrentSpanUtils.getCurrentSpan(CurrentSpanUtils.java:37)
	at io.opencensus.trace.Tracer.spanBuilder(Tracer.java:308)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:865)
	at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:304)
	at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:166)
	at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:72)
	at com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp.authorize(AuthorizationCodeInstalledApp.java:115)
	at dev.thource.runelite.dudewheresmystuff.export.utils.GoogleSheetConnectionUtils.getCredentials(GoogleSheetConnectionUtils.java:54)
	at dev.thource.runelite.dudewheresmystuff.export.utils.GoogleSheetConnectionUtils.getSheetsConnection(GoogleSheetConnectionUtils.java:62)
	at dev.thource.runelite.dudewheresmystuff.export.clients.GoogleSheetClient.<init>(GoogleSheetClient.java:29)
	at dev.thource.runelite.dudewheresmystuff.export.writers.GoogleSheetsWriter.<init>(GoogleSheetsWriter.java:38)
	at dev.thource.runelite.dudewheresmystuff.StorageManagerManager.lambda$exportItems$17(StorageManagerManager.java:221)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.ClassNotFoundException: io.grpc.Context
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
	... 15 common frames omitted

jaybyrrd avatar Feb 08 '25 03:02 jaybyrrd

not blocking, but you should use int[] here. https://github.com/Thource/dude-wheres-my-stuff/compare/749e63ef6871ae27d45b5ac401e1b716e1c95fae...Thource:19dc452292300d48d96ce0fa14a905ee6409c875#diff-6e5d858f33efa0e0391d79d78318fb1423603c06103c4486f44d96851f83b364R14

abextm avatar Feb 08 '25 03:02 abextm