Google is changing the policy around how apps can access Drive data soon (see Enhancing security controls for Google Drive third-party apps) and I was looking into whether this will affect Duplicacy.
Based on what I understand, it will. Specifically, the issue is that the
https://www.googleapis.com/auth/drive scope is becoming restricted (see the full list of OAuth 2.0 scopes here) and this scope is used by tokens generated by the https://duplicacy.com/gcd_start endpoint.
However, I believe there’s no need for Duplicacy to use this scope. The much less dangerous
https://www.googleapis.com/auth/drive.file scope is more appropriate: this would only allow Duplicacy access to files and folders that it creates. In fact, there are no changes needed to Duplicacy’s codebase, the only change needed is how the token is created.
My proposal therefore is to retire the https://duplicacy.com/gcd_start endpoint and instead replace it with a simple CLI that allows the user to generate a token locally and uses the
https://www.googleapis.com/auth/drive.file scope. The way I’ve done this was using the code from Go Quickstart for Drive, so this CLI could be based on that. When the user first tries to use Drive storage without a token, they are asked to visit a link to authorize the app and copy-paste an auth code, after which a valid token is generated.
Hope this proposal is helpful, thoughts welcome!