322 lines
9.5 KiB
JavaScript
322 lines
9.5 KiB
JavaScript
const CONFIG = {
|
|
SPREADSHEET_ID: "1q4r08nBA_ClWv3ypPCQ6GVCfMVkQwSKzDSRiokkQQ8Q", // ID from mail_forwarding
|
|
SHEET_NAME: "Form Responses 1",
|
|
COL_FORWARD_TO_ADDRESS: 4, // 1-indexed (Column D from mail_forwarding)
|
|
ADMIN_EMAIL: "info@haumdaucher.de",
|
|
PROJECT_ID: "haumdaucher", // Used in the Identity Toolkit REST API
|
|
DRY_RUN: false,
|
|
SEND_EMAIL_ON_CREATION: false,
|
|
};
|
|
|
|
/**
|
|
* Run this function from the Apps Script IDE after pushing code
|
|
* to establish the required background triggers.
|
|
*/
|
|
function setup() {
|
|
const ss = SpreadsheetApp.openById(CONFIG.SPREADSHEET_ID);
|
|
|
|
// Clear old triggers
|
|
const existingTriggers = ScriptApp.getProjectTriggers();
|
|
for (const trigger of existingTriggers) {
|
|
if (trigger.getHandlerFunction() === 'syncUsers') {
|
|
ScriptApp.deleteTrigger(trigger);
|
|
}
|
|
}
|
|
|
|
// Install triggers
|
|
ScriptApp.newTrigger('syncUsers')
|
|
.forSpreadsheet(ss)
|
|
.onFormSubmit()
|
|
.create();
|
|
|
|
ScriptApp.newTrigger('syncUsers')
|
|
.forSpreadsheet(ss)
|
|
.onChange()
|
|
.create();
|
|
|
|
const triggers = ScriptApp.getProjectTriggers();
|
|
console.log(`Setup complete. ${triggers.length} trigger(s) are now active for 'syncUsers'.`);
|
|
}
|
|
|
|
/**
|
|
* Main Entry Point
|
|
*/
|
|
function syncUsers() {
|
|
console.log(`Starting syncUsers... (DRY_RUN: ${CONFIG.DRY_RUN})`);
|
|
|
|
try {
|
|
const desiredEmails = getDesiredState();
|
|
console.log(`Desired state: ${desiredEmails.length} valid email(s) found in sheet.`);
|
|
|
|
const currentState = getCurrentState();
|
|
console.log(`Current state: ${Object.keys(currentState).length} user(s) found in Firebase.`);
|
|
|
|
const actions = reconcileUsers(desiredEmails, currentState);
|
|
|
|
if (actions.length > 0) {
|
|
console.log(`Found ${actions.length} action(s) to execute.`);
|
|
sendAdminReport(actions);
|
|
} else {
|
|
console.log("States are synchronized. No actions required.");
|
|
}
|
|
|
|
} catch (err) {
|
|
console.error("Error during syncUsers:", err);
|
|
MailApp.sendEmail({
|
|
to: CONFIG.ADMIN_EMAIL,
|
|
subject: "Haumdaucher Firebase Sync Failed",
|
|
body: `The Firebase User sync script failed with the following error:\n\n${err.toString()}`
|
|
});
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Extracts valid emails from the Google Sheet.
|
|
*/
|
|
function getDesiredState() {
|
|
const ss = SpreadsheetApp.openById(CONFIG.SPREADSHEET_ID);
|
|
const sheet = ss.getSheetByName(CONFIG.SHEET_NAME);
|
|
const data = sheet.getDataRange().getValues();
|
|
|
|
const emails = new Set();
|
|
|
|
// Start from row 1 (skipping header row 0)
|
|
for (let i = 1; i < data.length; i++) {
|
|
const row = data[i];
|
|
const email = row[CONFIG.COL_FORWARD_TO_ADDRESS - 1];
|
|
|
|
if (email && typeof email === 'string' && email.trim() !== "") {
|
|
const cleanEmail = email.trim().toLowerCase();
|
|
emails.add(cleanEmail);
|
|
}
|
|
}
|
|
|
|
return Array.from(emails);
|
|
}
|
|
|
|
/**
|
|
* Fetches all users from Firebase Identity Platform.
|
|
* Returns an object map: { "email@example.com": { localId: "...", disabled: false } }
|
|
*/
|
|
function getCurrentState() {
|
|
const token = ScriptApp.getOAuthToken();
|
|
const url = `https://identitytoolkit.googleapis.com/v1/projects/${CONFIG.PROJECT_ID}/accounts:query`;
|
|
|
|
// We use query with an empty payload to list users.
|
|
// Note: For very large datasets, pagination (nextPageToken) would be required.
|
|
const payload = {
|
|
returnUserInfo: true,
|
|
maxResults: 1000 // Safely assuming < 1000 users as per requirements
|
|
};
|
|
|
|
const options = {
|
|
method: 'post',
|
|
contentType: 'application/json',
|
|
headers: {
|
|
"Authorization": "Bearer " + token
|
|
},
|
|
payload: JSON.stringify(payload),
|
|
muteHttpExceptions: true
|
|
};
|
|
|
|
console.log("Calling Identity Toolkit accounts:query...");
|
|
const response = UrlFetchApp.fetch(url, options);
|
|
const json = JSON.parse(response.getContentText());
|
|
|
|
if (response.getResponseCode() !== 200) {
|
|
throw new Error(`Firebase API Error: ${response.getContentText()}`);
|
|
}
|
|
|
|
const userMap = {};
|
|
if (json.userInfo) {
|
|
json.userInfo.forEach(user => {
|
|
if (user.email) {
|
|
userMap[user.email.toLowerCase()] = {
|
|
localId: user.localId,
|
|
disabled: user.disabled || false
|
|
};
|
|
}
|
|
});
|
|
}
|
|
return userMap;
|
|
}
|
|
|
|
/**
|
|
* Evaluates differences and executes mutations against Firebase.
|
|
*/
|
|
function reconcileUsers(desiredEmails, currentState) {
|
|
const token = ScriptApp.getOAuthToken();
|
|
const executedActions = [];
|
|
|
|
// Build a Set for O(1) lookup performance (avoids O(n²) with .includes())
|
|
const desiredSet = new Set(desiredEmails);
|
|
|
|
// 1. Check for Creations and Re-enables
|
|
for (const email of desiredEmails) {
|
|
const fbUser = currentState[email];
|
|
|
|
if (!fbUser) {
|
|
// Missing in Firebase -> CREATE
|
|
console.log(`[ACTION: CREATE] User missing in Firebase: ${email}`);
|
|
if (!CONFIG.DRY_RUN) {
|
|
const password = generateSecurePassword();
|
|
const success = createUserInFirebase(email, password, token);
|
|
if (success) {
|
|
executedActions.push(`Created user: ${email}`);
|
|
if (CONFIG.SEND_EMAIL_ON_CREATION) {
|
|
sendPasswordReset(email, token);
|
|
executedActions.push(`Sent password reset email to: ${email}`);
|
|
}
|
|
} else {
|
|
executedActions.push(`[ERROR] Failed to create user: ${email}`);
|
|
}
|
|
} else {
|
|
executedActions.push(`[DRY RUN] Would create user: ${email}`);
|
|
}
|
|
} else if (fbUser.disabled) {
|
|
// Exists but disabled -> RE-ENABLE
|
|
console.log(`[ACTION: RE-ENABLE] User is disabled in Firebase: ${email}`);
|
|
if (!CONFIG.DRY_RUN) {
|
|
const success = updateUserStatus(fbUser.localId, false, token);
|
|
if (success) {
|
|
executedActions.push(`Re-enabled user: ${email}`);
|
|
} else {
|
|
executedActions.push(`[ERROR] Failed to re-enable user: ${email}`);
|
|
}
|
|
} else {
|
|
executedActions.push(`[DRY RUN] Would re-enable user: ${email}`);
|
|
}
|
|
}
|
|
}
|
|
|
|
// 2. Check for Disablements
|
|
for (const [email, fbUser] of Object.entries(currentState)) {
|
|
if (!desiredSet.has(email) && !fbUser.disabled) {
|
|
// Exists in Firebase, but NOT in sheet -> DISABLE (Soft Delete)
|
|
console.log(`[ACTION: DISABLE] User not in sheet: ${email}`);
|
|
if (!CONFIG.DRY_RUN) {
|
|
const success = updateUserStatus(fbUser.localId, true, token);
|
|
if (success) {
|
|
executedActions.push(`Disabled user: ${email}`);
|
|
} else {
|
|
executedActions.push(`[ERROR] Failed to disable user: ${email}`);
|
|
}
|
|
} else {
|
|
executedActions.push(`[DRY RUN] Would disable user: ${email}`);
|
|
}
|
|
}
|
|
}
|
|
|
|
return executedActions;
|
|
}
|
|
|
|
/**
|
|
* Calls Identity Toolkit to create a user.
|
|
*/
|
|
function createUserInFirebase(email, password, token) {
|
|
const url = `https://identitytoolkit.googleapis.com/v1/projects/${CONFIG.PROJECT_ID}/accounts`;
|
|
|
|
const payload = {
|
|
email: email,
|
|
password: password,
|
|
emailVerified: true // Pre-verified since it comes from our trusted sheet
|
|
};
|
|
|
|
const options = {
|
|
method: 'post',
|
|
contentType: 'application/json',
|
|
headers: { "Authorization": "Bearer " + token },
|
|
payload: JSON.stringify(payload),
|
|
muteHttpExceptions: true
|
|
};
|
|
|
|
const res = UrlFetchApp.fetch(url, options);
|
|
if (res.getResponseCode() !== 200) {
|
|
console.error(`Failed to create ${email}: ${res.getContentText()}`);
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Calls Identity Toolkit to update user status (enable/disable).
|
|
*/
|
|
function updateUserStatus(localId, disabled, token) {
|
|
const url = `https://identitytoolkit.googleapis.com/v1/projects/${CONFIG.PROJECT_ID}/accounts:update`;
|
|
|
|
const payload = {
|
|
localId: localId,
|
|
disableUser: disabled
|
|
};
|
|
|
|
const options = {
|
|
method: 'post',
|
|
contentType: 'application/json',
|
|
headers: { "Authorization": "Bearer " + token },
|
|
payload: JSON.stringify(payload),
|
|
muteHttpExceptions: true
|
|
};
|
|
|
|
const res = UrlFetchApp.fetch(url, options);
|
|
if (res.getResponseCode() !== 200) {
|
|
console.error(`Failed to update ${localId}: ${res.getContentText()}`);
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Calls Identity Toolkit to send a password reset email.
|
|
*/
|
|
function sendPasswordReset(email, token) {
|
|
const url = `https://identitytoolkit.googleapis.com/v1/projects/${CONFIG.PROJECT_ID}/accounts:sendOobCode`;
|
|
|
|
const payload = {
|
|
requestType: "PASSWORD_RESET",
|
|
email: email
|
|
};
|
|
|
|
const options = {
|
|
method: 'post',
|
|
contentType: 'application/json',
|
|
headers: { "Authorization": "Bearer " + token },
|
|
payload: JSON.stringify(payload),
|
|
muteHttpExceptions: true
|
|
};
|
|
|
|
const res = UrlFetchApp.fetch(url, options);
|
|
if (res.getResponseCode() !== 200) {
|
|
console.error(`Failed to send reset email to ${email}: ${res.getContentText()}`);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Generates a 24-character cryptographically secure random password.
|
|
* Uses Utilities.getSecureRandomBytes() instead of Math.random() for security.
|
|
*/
|
|
function generateSecurePassword() {
|
|
const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-=[]{}|;:,.<>?";
|
|
const bytes = Utilities.getSecureRandomBytes(24);
|
|
let pwd = "";
|
|
for (let i = 0; i < 24; i++) {
|
|
// Mask to avoid modulo bias: chars.length (88) fits safely in a byte (0-255)
|
|
pwd += chars.charAt(bytes[i] % chars.length);
|
|
}
|
|
return pwd;
|
|
}
|
|
|
|
/**
|
|
* Sends the final admin report.
|
|
*/
|
|
function sendAdminReport(actions) {
|
|
const subject = `Firebase User Sync Report ${CONFIG.DRY_RUN ? '[DRY RUN]' : ''}`;
|
|
const body = `The synchronization process has completed.\n\nActions taken:\n` +
|
|
actions.map(a => `- ${a}`).join("\n");
|
|
|
|
MailApp.sendEmail({
|
|
to: CONFIG.ADMIN_EMAIL,
|
|
subject: subject,
|
|
body: body
|
|
});
|
|
}
|