DEV Community

Cover image for Securing the Amnesiac Cloud: Database-Free Token Auth in Apps Script Web Apps
Hayrullah Kar
Hayrullah Kar

Posted on • Originally published at magesheet.com

Securing the Amnesiac Cloud: Database-Free Token Auth in Apps Script Web Apps

When expanding Google Workspace into a genuine production-grade business platform, backend engineers frequently run into a major architectural roadblock: state management.

Google Apps Script’s underlying user interface framework, powered by the HTML Service, is completely stateless. Every single time your custom user interface initiates an asynchronous remote procedure call to the server side, the cloud engine provisions a completely fresh, isolated runtime instance on Google's infrastructure.

It possesses absolutely no built-in memory of the user who authenticated mere moments prior.

If your enterprise relies heavily on Google Workspace to run critical web applications, portals, or internal tooling, solving this security and state puzzle is paramount. Let's look at how to engineer bulletproof session states without introducing heavy database overhead or spinning up complex external server environments.


The Illusion of Client-Side Authentication

A common, incredibly dangerous mistake developers make in Apps Script is trusting the frontend environment.

Because traditional web paradigms sometimes obscure how Apps Script processes frontend-to-backend calls, it is tempting to validate a user’s credentials on the server, return a success flag, and then save a global state variable like "is logged in" directly inside your frontend JavaScript engine.

Doing this means your application is completely exposed.

Since all backend execution functions are exposed to the browser runtime environment, any malicious user can open Google Chrome Developer Tools, head over to the console, and manually trigger your data-fetching functions by passing any arbitrary client ID directly into the execution stream.

The server environment must never blindly trust the identity or permission claims passed up by the user interface layer. Every single transactional request must be validated independently at the root level.


The Solution: Ephemeral Server-Verified Session Tokens

To build a secure Single Page Application architecture on Apps Script, you must transition to a strict, server-verified token paradigm.

Instead of querying a slow Google Sheet on every single user click, you can leverage Google’s native, high-speed ephemeral caching layer: the built-in Script Cache service.

The structural architecture relies on a clean separation of concerns:

  • The Backend Core: When credentials are submitted, the server validates them against your master source records, generates a unique, cryptographically secure UUID string to act as a session token, caches that token alongside the internal User ID, and returns only the token to the client. When data is requested later, the backend reads the token, verifies its active existence in the cache, and filters the spreadsheet rows exclusively for that verified user context.
  • The Frontend Context: The frontend application captures the token inside a global state object during the successful login handshake. From that point forward, the client script automatically appends this secure token string to every subsequent server invocation, gracefully resetting the user's view back to the login screen if the server rejects the token as expired.

Scaling to Enterprise Security Requirements

While an ephemeral cache handshake secures basic workflows, scaling to a true B2B platform or compliance-heavy internal CRM requires layering on advanced architectural lifecycle patterns:

The Sliding Window Expiration

A fixed two-hour expiration can frustrate active operators by abruptly logging them out mid-workflow. To fix this, your data-fetching functions should dynamically extend the token’s lifespan. By updating the cache entry with a fresh two-hour time-to-live parameter upon every successful network interaction, active users stay logged in seamlessly while inactive sessions naturally expire.

Multi-Device Revocation

If a user signs in on a secondary device, Apps Script natively generates a brand new valid session token for that endpoint. However, if that user hits a global "Log Out Everywhere" button, you need an instant revocation mechanism. By keeping a revocation timestamp record inside your structural Users sheet, your backend can cross-reference the token's creation timestamp against the master revocation flag on every transaction, instantly cutting off compromised access points.

Server-Side Role-Based Access Control (RBAC)

Authentication establishes who a user is; authorization dictates what they are allowed to perform. Never rely on hiding buttons in HTML or CSS as a security boundary. Implement a rigorous, server-side role guard wrapper on all mutating functions. If an endpoint requires an administrative or financial tier role, the server must evaluate the cached identity against the user's master permission record before executing the database mutation, defaulting to a strict access denial if they don't match.

Immutable Append-Only Audit Logging

For sensitive operational shifts affecting financial tracking or client inventories, you need undeniable traceability. Wrapping mutating endpoints in a single-line audit macro that logs timestamps, verified user IDs, specific actions, and metadata strings directly into an admin-write-only Google Sheet ensures complete operational compliance and non-repudiation.


Own Your Automation

By turning native caching capabilities and unique cryptographic identifiers into a secure session layer, your business can completely decouple its operational interfaces from raw spreadsheets.

There are no modern cloud databases to spin up, no infrastructure overhead to monitor, and absolutely no monthly server bills. Google handles the cloud orchestration scale seamlessly while you maintain absolute authority over your internal code logic.

The comprehensive architectural guide with full boilerplate code setups, production-ready RBAC libraries, and advanced logging streams is available on the MageSheet blog.

Top comments (0)