12

I am just starting to try building a new Gmail Add-on, and am running into the following error message:

"You do not have permission to call fetch"

This happens when testing the add-on in the Script Editor, and also when deployed inside my Gmail. Here is a sample of the code:

function getContextualAddOn(e) {
    var API_KEY = 'TESTKEY';
    var URL = 'https://[REDACTED]';
    var options = {
        'method' : 'post',
        'contentType': 'application/json',
        'headers': {
            'x-api-key': API_KEY
        },
        'payload' : JSON.stringify({ 'foo': 'bar' })
    };

    var response = UrlFetchApp.fetch(URL, options);

    [more code that builds a card] 
}

As you can see, it's a pretty straightforward use of UrlFetchApp.fetch. I'm brand new to Apps Script, so maybe I am missing some permissions declaration or scope in my manifest. I tried an even simpler example just using UrlFetchApp.getRequest, but that also failed with "You do not have permission to call getRequest".

The manifest for the addon is the same as in the examples:

{
  "timeZone": "America/New_York",
  "dependencies": {
  },
  "exceptionLogging": "STACKDRIVER",

  "oauthScopes": [
    "https://www.googleapis.com/auth/gmail.addons.execute",
    "https://www.googleapis.com/auth/gmail.addons.current.message.readonly",
    "https://www.googleapis.com/auth/userinfo.email"
  ],
  "urlFetchWhitelist": [
    "https://[REDACTED]"
  ],
  "gmail": {
    "name": "Test Add-On",
    "logoUrl": "some url",
    "primaryColor": "#4285F4",
    "secondaryColor": "#4285F4",
    "contextualTriggers": [{
      "unconditional": {},
      "onTriggerFunction": "getContextualAddOn"
    }],
    "version": "TRUSTED_TESTER_V2"
  }
}

Is UrlFetchApp supposed to be allowed inside a Gmail Add-On, or is this just a bug? Do I need to add something to my manifest or enable some other option in the script editor?

tehhowch
  • 9,645
  • 4
  • 24
  • 42
Andrew Goldberg
  • 185
  • 1
  • 9
  • Try triggering the URL fetch inside a [Simple Trigger](https://developers.google.com/apps-script/guides/triggers/) like onOpen or onEdit. This workaround seemed to have worked in this [SO post](https://stackoverflow.com/questions/20457847/urlfetch-in-an-event-failing) – ReyAnthonyRenacia Oct 25 '17 at 15:07
  • Any idea how to set that up for a Gmail add-on? I think there are only contextual triggers. – Andrew Goldberg Oct 25 '17 at 17:29

3 Answers3

29

The UrlFetchApp service requires an additional scope, https://www.googleapis.com/auth/script.external_request. Add it to your list of scopes and the code should work.

The scopes required for each Apps Script method is listed under the "Authorization" section in the reference docs (example). Alternatively, you can discover the scopes required by your script by temporarily removing the oauthScopes section of the manifest and viewing the auto-determined scopes for your code in File > Project properties > Scopes. (If you define any scopes in your manifest, this disables the "automatic scope detection" behavior of Apps Script.)

References

Eric Koleda
  • 12,420
  • 1
  • 33
  • 51
  • 1
    Thank you! This is exactly what was missing. – Andrew Goldberg Oct 25 '17 at 18:03
  • 1
    Just a heads up that if you add a new scope you may have to re-authorize via OAuth. I was able to achieve this by re-adding the trigger to the project which brought up a verification for the new permission. – Emeka Oct 18 '19 at 00:30
  • 1
    After setting the oauthScope in the manifest file, Im still getting the same error. Is there something else I should do? – Gunner Stone Apr 30 '20 at 19:30
  • I'm also getting the same error even after setting it. I tried simple triggers, installable triggers... this is a nightmare. – Patrick Bassut Jun 22 '20 at 02:39
1

The accepted answer was from 2017. I don't know if Google has changed its authorization policy since then, but simply adding a new scope to the Project Properties settings won't work.

How do you trigger the function that call fetch?. You can't use simple triggers to do that. They fire automatically, so they can't access services that require authorization. UrlFetchApp definitely requires permission. There is no way to open a dialog to ask for users' content with simple triggers.

You, as the script owner, can add new authorization scope, but what happens when you deploy this script with end users? How are they going to grant their permission to the script to make API calls to some unfamiliar servers?

To get around this, you need to use installable triggers. Whatever are available in simple triggers, there are equivalent in installable triggers.

Let's assume that you want to call the API on opening the spreadsheet.

From the Script Editor, go to Edit >> Current Project's Triggers and set up a new trigger.

  • Under Run, select the name of the function that you want to trigger. In the OP's case, it's the getContextualAddOn(e) function.

  • Under Select event source, choose From spreadsheet.

  • Under Event type, choose On Open.

  • Configure other settings as you like and save.

bytrangle
  • 979
  • 11
  • 9
0

Use installable trigger instead and write your own function that you bind to your installable trigger.

https://developers.google.com/apps-script/guides/triggers/installable#g_suite_application_triggers

This solved the issue for me.

Kevin.
  • 2,820
  • 2
  • 23
  • 21