Search code examples
node.jsapigoogle-apigmail-api

Gmail API userId use cases in Gmail NodeJs client?

How do I use the userId property outside the cases where I would use the special value 'me'?

From what I understand, when you use 'me', is when you've authenticated as the end user.

But when you're not authenticated as the end user, you can't use 'me' nor can you use any other value because you don't have permissions to perform a given request.

I'm trying to understand how can I perform an action on behalf of an authenticated user on my app without using the value 'me' in the userId field?

Example using Gmail nodeJs client:

const googleClient = new google.auth.OAuth2(client_id, client_secret, redirect_uri);

async function getUnreadEmailsFrom(userID) {
let gmail = google.gmail({ version: 'v1', auth: googleClient });

/* Here on the line below, I'd like to use the email or ID of an already authenticated user in order to perform a given action.

But the only way I understand that I am able to perform any action is by loading the token of the user and saving it via 
googleClient.setCredentials(userToken)
and then using the special value 'me' inside the userId propery.
*/
let response = await gmail.users.messages.list({userId: 'me', q: 'is:unread', maxResults: 500 });

return response.data;
}
Solution

  • Short answer:

    The only allowed values for userId are me and the authenticated (or impersonated) user email address.

    Explanation:

    The only way to access other users' data is to grant domain-wide authority to a service account and use that to impersonate the target user whose data you want to access (this user should be in the same domain).

    Nevertheless, the target user email is specified when impersonating it (see Preparing to make an authorized API call), that is, before calling the API.

    Later, when calling the API, the special value me would correspond to the impersonated user, and the only accepted values would be me and the impersonated user email. Any other value would result in error (since the service account would be acting as the impersonated user, and would only be able to access the impersonated user's data).

    Therefore, the only alternative to me is the authenticated user email address, but of course you'd get the same data.

    Domain-wide delegation example:

    creds = service_account.Credentials.from_service_account_file('credentials.json', scopes=SCOPES)
creds = creds.with_subject('your_target_user@email.com')
service = build('gmail', 'v1', credentials=creds)
messages = service.users().messages().list(userId="me").execute()