feat: Chat webhook #605
feat: Chat webhook #605
Conversation
Summary of ChangesHello @PierrickVoulet, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request delivers a new set of examples demonstrating how to leverage Google Chat webhooks through Google Apps Script. The solution provides clear, functional code snippets for both basic message posting and more advanced threaded replies, aiming to simplify the integration process for developers looking to automate notifications or interactions within Google Chat spaces. The inclusion of a README file ensures users can quickly find relevant official documentation. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces webhook examples for Google Chat. My review identified a critical security vulnerability in both new script files (thread-reply.gs and webhook.gs). Sensitive information such as API keys and tokens are hardcoded in the source code. I've provided suggestions to refactor the code to use Google Apps Script's Properties Service for securely managing these secrets, preventing them from being exposed in version control.
| const url = "https://chat.googleapis.com/v1/spaces/SPACE_ID/messages?key=KEY&token=TOKEN&messageReplyOption=REPLY_MESSAGE_FALLBACK_TO_NEW_THREAD" | ||
| const options = { | ||
| "method": "post", | ||
| "headers": {"Content-Type": "application/json; charset=UTF-8"}, | ||
| "payload": JSON.stringify({ | ||
| "text": "Hello from Apps Script!", | ||
| "thread": { | ||
| "threadKey": "THREAD_KEY_VALUE" | ||
| } | ||
| }) | ||
| }; | ||
| const response = UrlFetchApp.fetch(url, options); | ||
| console.log(response); |
There was a problem hiding this comment.
Hardcoding sensitive information like API keys and tokens directly in the source code is a major security risk. If this code is committed to a version control system, these secrets will be exposed. It is strongly recommended to store these values in a secure location, such as Google Apps Script's Properties Service, and retrieve them at runtime. This prevents accidental exposure of credentials. You can find more information on how to use Properties Service here.
const scriptProperties = PropertiesService.getScriptProperties();
const spaceId = scriptProperties.getProperty('SPACE_ID');
const key = scriptProperties.getProperty('KEY');
const token = scriptProperties.getProperty('TOKEN');
if (!spaceId || !key || !token) {
console.error('Webhook URL parameters (SPACE_ID, KEY, TOKEN) must be set in script properties.');
return;
}
const url = `https://chat.googleapis.com/v1/spaces/${spaceId}/messages?key=${key}&token=${token}&messageReplyOption=REPLY_MESSAGE_FALLBACK_TO_NEW_THREAD`;
const options = {
"method": "post",
"headers": {"Content-Type": "application/json; charset=UTF-8"},
"payload": JSON.stringify({
"text": "Hello from Apps Script!",
"thread": {
"threadKey": "THREAD_KEY_VALUE"
}
})
};
const response = UrlFetchApp.fetch(url, options);
console.log(response);| const url = "https://chat.googleapis.com/v1/spaces/SPACE_ID/messages?key=KEY&token=TOKEN" | ||
| const options = { | ||
| "method": "post", | ||
| "headers": {"Content-Type": "application/json; charset=UTF-8"}, | ||
| "payload": JSON.stringify({ | ||
| "text": "Hello from Apps Script!" | ||
| }) | ||
| }; | ||
| const response = UrlFetchApp.fetch(url, options); | ||
| console.log(response); |
There was a problem hiding this comment.
Hardcoding sensitive information like API keys and tokens directly in the source code is a major security risk. If this code is committed to a version control system, these secrets will be exposed. It is strongly recommended to store these values in a secure location, such as Google Apps Script's Properties Service, and retrieve them at runtime. This prevents accidental exposure of credentials. You can find more information on how to use Properties Service here.
const scriptProperties = PropertiesService.getScriptProperties();
const spaceId = scriptProperties.getProperty('SPACE_ID');
const key = scriptProperties.getProperty('KEY');
const token = scriptProperties.getProperty('TOKEN');
if (!spaceId || !key || !token) {
console.error('Webhook URL parameters (SPACE_ID, KEY, TOKEN) must be set in script properties.');
return;
}
const url = `https://chat.googleapis.com/v1/spaces/${spaceId}/messages?key=${key}&token=${token}`;
const options = {
"method": "post",
"headers": {"Content-Type": "application/json; charset=UTF-8"},
"payload": JSON.stringify({
"text": "Hello from Apps Script!"
})
};
const response = UrlFetchApp.fetch(url, options);
console.log(response);1 participant
No description provided.