Register & Login
Having covered this several times on the forum, I thought it was about time I wrote up a proper guide on how to use google sheets as a register and login machine for your app. The simple premise is a sheet that holds the username, the encrypted password (more on which later), and the uid for the user (more on which later too!). On the app demo, a user will register with their username and compliant password, then login with these same credentials. At no point does the app save the "real" password, or send it to the google apps script or google sheet. The aim was again to do this without needing to turn to extensions, and to provide industry level security / password protection.
A google sheet, private, with columns for UID, User and Encrypted Password
A google apps script web app, bound to the sheet, with the code in the SCRIPT section below
This, I guess, is in two parts:
General internet/Data security
Protecting the user from the developer, and protecting the developer from themselves!
I looked at the various options available for password security, and decided that a straightforward hash - e.g. HMACSha256 would not be of any use, because the developer/owner of the script/sheet could use this to compare, without the need of the actual password. There is no real "back-end" server side area easily accessible within google apps script (that is no available to either the user or the developer, like you get in Firebase), apart from userProperties, but then the user needs to be connected to the web app with their google account, which starts to make things complicated (GD Connector).
SimpleCrypto generates a different hash/encode, for the same parameters, each time you run it....
Anyway, the encryption uses two html files to handle the work, and these are on the app in the assets. I did cheat a bit and use the real password for the secret Key and the text to be encrypted, so that the user only had to enter one password, but I feel the password verification helps to make up for this.
On that subject, apparently, requiring an 8 character password, which must include from A-Z,a-z,0-9, and a bunch of special characters produces @ 350 billion combinations. ( I couldn't use all the special characters (33), as some, like the comma and semi-colon, failed in the verification. Check out the passwordVerifier blocks.
Fairly standard fare:
register - generates the uid, appends this and the user and encrypted password to the sheet, confirms success back to the app
getusers - returns a list of usernames back to the app for a verification check, to avoid duplicate usernames
login - returns the encrypted password/hash to the app based upon the username, for login verification
and uid generator (thank you Firebase Developers):