I am currently working with the Google Calendar Event API to retrieve a list of events for an expert. To manage this, I store the expert’s refresh token in a database and use it to generate an access token. The access token is then used to authenticate the API call to the following endpoint:
My question is whether handling all of this directly from the front-end is secure, or if there’s a more secure and recommended approach for this process.
Is only the owner of the access token and refresh token have access to it (privacy rules)? If yes, there’s no problem. If not, you shouldn’t use this option and use a backend wf to process the API call.
I have a wrapper API call that is triggered from the front end. This API call, in turn, invokes a backend workflow that returns an access token (the backend workflow runs with privacy rules ignored). The access token is then used in the front end to make a call to the events API to retrieve data.
Both the access token and refresh token are accessible only by the respective experts.
In your case, because you are sending the request to get access token using a backend WF but without any privacy rules and probably using API Connector? This is an issue from my point of view.
You don’t have to make a backend WF to get a new access token if this one is expired for the logged in user. You can do that on the front end because the user IS the owner of the access token. So it’s not a problem, this user is the owner of the API account.
Currently, I have a scheduling page where users can book time slots with an expert. When the page loads, an API call is made to retrieve all events from the expert’s calendar. These events are then compared against the list of available time slots, and any conflicting slots are greyed out and made unclickable to prevent users from booking them.
To achieve this, an API call needs to be made from the front end. However, since users don’t have access to the required values, I trigger a backend workflow to fetch them instead.
So if you are fetching the expert access token when another user is logged in, no it’s not safe!
Process everything in backend and only return calendar result.
