Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update "Dude, Where's My Stuff?" to v2.7.0 #6252

Merged
merged 6 commits into from
Feb 8, 2025
Merged

Update "Dude, Where's My Stuff?" to v2.7.0 #6252

merged 6 commits into from
Feb 8, 2025

Conversation

Thource
Copy link
Contributor

@Thource Thource commented Jul 6, 2024
edited
Loading

@runelite-github-app
Copy link

runelite-github-app bot commented Jul 6, 2024
edited
Loading

Includes non-plugin changes

dude-wheres-my-stuff: 749e63ef6871ae27d45b5ac401e1b716e1c95fae...19dc452292300d48d96ce0fa14a905ee6409c875

@jaybyrrd jaybyrrd mentioned this pull request Jul 7, 2024
Closed
@Thource Thource force-pushed the dude-wheres-my-stuff branch from 2c8e6fb to ea91d5d Compare July 10, 2024 08:13
@Thource Thource force-pushed the dude-wheres-my-stuff branch from ea91d5d to f30ab90 Compare August 14, 2024 18:02
@Thource
Copy link
Contributor Author

Thource commented Aug 14, 2024

Sorry, trying to create a PR for hotfix and accidentally pushed to this branch

@Felanbird
Copy link
Contributor

@Thource as a reminder you pushed this branch to have no changes, also I pushed this plugin back 1 commit to before the cat_h changes, just so you are aware when/if you resolve this PR.

@Thource Thource force-pushed the dude-wheres-my-stuff branch from 6406ac6 to 59e3509 Compare September 14, 2024 19:50
@Thource Thource requested a review from a team as a code owner September 14, 2024 19:55
@Thource
Copy link
Contributor Author

Thource commented Sep 14, 2024

Thanks @Felanbird, I believe this should be ready now

@Thource Thource force-pushed the dude-wheres-my-stuff branch from 138b3eb to c154081 Compare September 16, 2024 18:42
jaybyrrd
jaybyrrd reviewed Sep 25, 2024
View reviewed changes
package/verification-template/gradle/verification-metadata.xml
Comment on lines +1420 to +1427
<component group="org.xerial" name="sqlite-jdbc" version="3.46.0.0">
<artifact name="sqlite-jdbc-3.46.0.0.jar">
<sha256 value="e697df15be3f95219d80773c5f1002030e33e932adda186c1c86fd51df6691a9" origin="Generated by Gradle"/>
</artifact>
<artifact name="sqlite-jdbc-3.46.0.0.pom">
<sha256 value="3c16325e9917957ada3cda84fb50296145aa4f3aa73e7a5d63af9719cee2a7ac" origin="Generated by Gradle"/>
</artifact>
</component>
Copy link

@jaybyrrd jaybyrrd Sep 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Am I missing something? This doesn't actually seem different, just moved.

@Thource Thource mentioned this pull request Oct 25, 2024
Merged
@LlemonDuck
Copy link
Contributor

Is there a reason you need the newer gsheets dependency? Does v4-rev581-1.25.0, which is already approved, no longer work?

@LlemonDuck LlemonDuck added the waiting for author waiting for the pr author to make changes or respond to questions label Nov 12, 2024
@LlemonDuck LlemonDuck closed this Nov 12, 2024
@LlemonDuck LlemonDuck reopened this Nov 12, 2024
@Thource
Copy link
Contributor Author

Thource commented Nov 12, 2024 via email

@runelite-github-app runelite-github-app bot removed the waiting for author waiting for the pr author to make changes or respond to questions label Nov 12, 2024
@Thource Thource mentioned this pull request Dec 5, 2024
Closed
@Thource
Copy link
Contributor Author

Thource commented Feb 7, 2025
edited
Loading

We tried to downgrade our google-api-services-sheets to the already accepted version, but doing this would have meant that the plugin users would need to create their own Google API keys and paste them into the plugin config, rather than just using Google's OAuth flow, which does not seem like a good user experience.

We believe the best option for the plugin is to add these new dependencies, rather than the alternative.

@abextm abextm closed this Feb 8, 2025
@abextm abextm reopened this Feb 8, 2025
@abextm
Copy link
Member

abextm commented Feb 8, 2025

this is not supposed to be public https://github.com/Thource/dude-wheres-my-stuff/blob/19dc452292300d48d96ce0fa14a905ee6409c875/src/main/resources/credentials.json#L8

@jaybyrrd
Copy link

jaybyrrd commented Feb 8, 2025
edited
Loading

this is not supposed to be public https://github.com/Thource/dude-wheres-my-stuff/blob/19dc452292300d48d96ce0fa14a905ee6409c875/src/main/resources/credentials.json#L8

Hey, chiming in as the person who worked on this and had this discussion with Thource too. We actually scoped this as a native app which means the client-secret is actually not treated as sensitive on Google's side since it needs to be deployed with the application (and so the user would have access to it).

From their docs:

Installed apps are distributed to individual devices, and it is assumed that these apps cannot keep secrets. They can access Google APIs while the user is present at the app or when the app is running in the background.

The desktop app requests no restricted scopes which means that the key is unable to list or search for any of the sheets it creates. This means that someone with these creds can only access documents that they know the sheet ID of (which is on the order of UUID levels of difficulty to guess) and that the current authenticated user has access to.

"While the user is present" is guaranteed by the Google Auth Flow. The auth flow in this case is the user gets a browser opened to auth with the Dude Where's My Stuff App, they complete the auth, and now the plugin is able to create and modify the spreadsheet provided assuming the authenticated google account has access to the sheet id provided (if no sheet id provided, it creates one).

We did consider storing the secret on a secret store of some kind and retrieving it, but ultimately the secret is still going to be on the users machine (either in memory or in the jar), so it doesn't seem worth the hassle. The worst case scenario, we could surmise, is that someone decided to impersonate the app, which still requires the user to go through the oauth flow, and even if they do they will find they can only modify new google sheets that the app has created and that they already know the id of. Ultimately doing that would just be obfuscation, not really "security".

It's probably ideal for it not to be in plain text... but I am not sure we gain much by obfuscating it either.

Just wanted to share the context.

@abextm
Copy link
Member

abextm commented Feb 8, 2025

Hmm, OK. I would expect Google to use a pkce flow without a client secret, but the docs seem to indicate otherwise, so that is okay I guess. Obfuscating it wouldn't be useful or add anything, so this seems fine.

Do you know its excluding grpc is possible? It looks almost entirely unused.

@jaybyrrd
Copy link

jaybyrrd commented Feb 8, 2025
edited
Loading

So I just confirmed it is on the runtime classpath for the google api client and http client.

I recall us trying to remove it and it causing the integration to totally fail. I dug up the chat here which confirmed we couldn't remove opencensus. I wanted to make sure about grpc, so I went ahead and tried again.

When I add:

        exclude group: 'io.grpc'

the application ultimately fails with:

java.lang.NoClassDefFoundError: io/grpc/Context
	at io.opencensus.trace.unsafe.ContextManagerImpl.currentContext(ContextManagerImpl.java:30)
	at io.opencensus.trace.unsafe.ContextHandleUtils.currentContext(ContextHandleUtils.java:56)
	at io.opencensus.trace.CurrentSpanUtils.getCurrentSpan(CurrentSpanUtils.java:37)
	at io.opencensus.trace.Tracer.spanBuilder(Tracer.java:308)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:865)
	at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:304)
	at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:166)
	at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:72)
	at com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp.authorize(AuthorizationCodeInstalledApp.java:115)
	at dev.thource.runelite.dudewheresmystuff.export.utils.GoogleSheetConnectionUtils.getCredentials(GoogleSheetConnectionUtils.java:54)
	at dev.thource.runelite.dudewheresmystuff.export.utils.GoogleSheetConnectionUtils.getSheetsConnection(GoogleSheetConnectionUtils.java:62)
	at dev.thource.runelite.dudewheresmystuff.export.clients.GoogleSheetClient.<init>(GoogleSheetClient.java:29)
	at dev.thource.runelite.dudewheresmystuff.export.writers.GoogleSheetsWriter.<init>(GoogleSheetsWriter.java:38)
	at dev.thource.runelite.dudewheresmystuff.StorageManagerManager.lambda$exportItems$17(StorageManagerManager.java:221)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.ClassNotFoundException: io.grpc.Context
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
	... 15 common frames omitted

@abextm
Copy link
Member

abextm commented Feb 8, 2025

not blocking, but you should use int[] here. Thource/dude-wheres-my-stuff@749e63e...Thource:19dc452292300d48d96ce0fa14a905ee6409c875#diff-6e5d858f33efa0e0391d79d78318fb1423603c06103c4486f44d96851f83b364R14

@abextm abextm merged commit 79e2d0f into runelite:master Feb 8, 2025
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaybyrrd jaybyrrd jaybyrrd left review comments

Assignees
No one assigned
Labels
dependency change plugin change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Thource @Felanbird @LlemonDuck @abextm @jaybyrrd