feat: add secured-app samples (#268)

Co-authored-by: pierrick <pierrick@google.com>

Author: PierrickVoulet

java/chat/connectivity-app/src/main/java/com/google/chat/connectivityApp/App.java

@@ -26,7 +26,6 @@
 import com.google.apps.meet.v2.SpacesServiceSettings;
 import com.google.gson.JsonObject;
 
-import java.util.Date;
 import java.util.Optional;
 
 import org.springframework.boot.SpringApplication;

java/chat/preview-link/src/main/java/com/google/chat/previewLink/App.java

@@ -89,9 +89,8 @@ GenericJson handlePreviewLink(JsonNode chatMessage) {
         put("hostAppDataAction", new GenericJson() {{
           put("chatDataAction", new GenericJson() {{
             put("createMessageAction", new GenericJson() {{
-              put("message", new GenericJson() {{
-                put("text", "No matchedUrl detected.");
-              }});
+              put("message", new Message()
+                .setText("No matchedUrl detected."));
             }});
           }});
         }});
@@ -105,9 +104,8 @@ GenericJson handlePreviewLink(JsonNode chatMessage) {
         put("hostAppDataAction", new GenericJson() {{
           put("chatDataAction", new GenericJson() {{
             put("createMessageAction", new GenericJson() {{
-              put("message", new GenericJson() {{
-                put("text", "event.chat.messagePayload.message.matchedUrl.url: " + chatMessage.at("/matchedUrl/url").asText());
-              }});
+              put("message", new Message()
+                .setText("event.chat.messagePayload.message.matchedUrl.url: " + chatMessage.at("/matchedUrl/url").asText()));
             }});
           }});
         }});

java/chat/secured-app/README.md

@@ -0,0 +1,6 @@
+# Google Chat secured app as Google Workspace add-on
+
+This code sample demonstrates Google Workspace add-on request verification.
+
+Please see related guide about
+[request verification](https://developers.google.com/workspace/add-ons/guides/alternate-runtimes#validate-requests-from-google).

java/chat/secured-app/pom.xml

@@ -0,0 +1,117 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright 2025 Google LLC
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <name>secured-app</name>
+
+  <groupId>com.google.chat</groupId>
+  <artifactId>secured-app</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <properties>
+    <maven.compiler.target>17</maven.compiler.target>
+    <maven.compiler.source>17</maven.compiler.source>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <!-- Import dependency management from Spring Boot -->
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-dependencies</artifactId>
+        <version>3.2.3</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-dependencies</artifactId>
+        <version>Greenwich.SR1</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+
+      <dependency>
+            <groupId>com.fasterxml.jackson</groupId>
+            <artifactId>jackson-bom</artifactId>
+            <version>2.17.2</version> <type>pom</type>
+            <scope>import</scope>
+        </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+      <version>3.2.3</version>
+      <exclusions>
+        <!-- Exclude the Tomcat dependency -->
+        <exclusion>
+          <groupId>org.springframework.boot</groupId>
+          <artifactId>spring-boot-starter-tomcat</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-jetty</artifactId>
+      <version>3.2.3</version>
+    </dependency>
+
+    <dependency>
+       <groupId>com.google.apis</groupId>
+       <artifactId>google-api-services-chat</artifactId>
+       <version>v1-rev20241008-2.0.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+        <version>3.2.3</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>repackage</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>appengine-maven-plugin</artifactId>
+        <version>2.7.0</version>
+        <configuration>
+          <version>GCLOUD_CONFIG</version>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

java/chat/secured-app/src/main/appengine/app.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+runtime: java17
+instance_class: F1
+
+# Explicitly set the memory limit and maximum heap size for the Spring Boot app
+env_variables:
+  JAVA_TOOL_OPTIONS: "-XX:MaxRAM=256m -XX:ActiveProcessorCount=2 -Xmx32m"

java/chat/secured-app/src/main/java/com/google/chat/app/basic/App.java

@@ -0,0 +1,94 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of the License at
+ *
+ * <p>http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * <p>Unless required by applicable law or agreed to in writing, software distributed under the
+ * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.chat.app.secured;
+
+import java.util.Collections;
+import java.util.logging.Logger;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.google.api.client.json.GenericJson;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.http.apache.ApacheHttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.services.chat.v1.model.Message;
+
+@SpringBootApplication
+@RestController
+public class App {
+
+  // Service account email to verify requests from
+  static String SERVICE_ACCOUNT_EMAIL = "your-add-on-service-account-email";
+
+  // Endpoint URL of the add-on
+  static String HTTP_ENDPOINT = "your-add-on-endpoint-url";
+
+  private static final Logger logger = Logger.getLogger(App.class.getName());
+
+  public static void main(String[] args) {
+    SpringApplication.run(App.class, args);
+  }
+
+  // Returns a simple text message app response based on whether the request is verified or not.
+  @PostMapping("/")
+  @ResponseBody
+  public GenericJson onEvent(
+      @RequestBody JsonNode event, @RequestHeader("Authorization") String authorization)
+      throws Exception {
+    return new GenericJson() {{
+      put("hostAppDataAction", new GenericJson() {{
+        put("chatDataAction", new GenericJson() {{
+          put("createMessageAction", new GenericJson() {{
+            put("message", new Message()
+              .setText(verifyAddOnRequest(event, authorization) ? "Successful verification!" : "Failed verification!"));
+          }});
+        }});
+      }});
+    }};
+  }
+
+  // [START verify_add_on_request]
+  /**
+   * Determine whether a Google Workspace add-on request is legitimate.
+   * 
+   * @param event Event sent from Google Workspace add-on
+   * @param authorization Authorization header from the request
+   * @return {boolean} Whether the request is legitimate
+   */
+  private boolean verifyAddOnRequest(JsonNode event, String authorization) throws Exception {
+    JsonFactory factory = JacksonFactory.getDefaultInstance();
+
+    GoogleIdTokenVerifier verifier =
+      new GoogleIdTokenVerifier.Builder(new ApacheHttpTransport(), factory)
+        .setAudience(Collections.singletonList(HTTP_ENDPOINT))
+        .build();
+
+    String bearer = authorization.substring("Bearer ".length(), authorization.length());
+    GoogleIdToken idToken = GoogleIdToken.parse(factory, bearer);
+    return idToken != null
+      && verifier.verify(idToken)
+      && idToken.getPayload().getEmailVerified()
+      && idToken.getPayload().getEmail().equals(SERVICE_ACCOUNT_EMAIL);
+  }
+  // [END verify_add_on_request]
+}

java/chat/secured-app/src/main/resources/applicaton.properties

@@ -0,0 +1,16 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Set the port to the PORT environment variable
+server.port=${PORT:8080}

node/chat/secured-app/.gcloudignore

@@ -0,0 +1,17 @@
+# This file specifies files that are *not* uploaded to Google Cloud
+# using gcloud. It follows the same syntax as .gitignore, with the addition of
+# "#!include" directives (which insert the entries of the given .gitignore-style
+# file at that point).
+#
+# For more information, run:
+#   $ gcloud topic gcloudignore
+#
+.gcloudignore
+# If you would like to upload your .git directory, .gitignore file or files
+# from your .gitignore file, remove the corresponding line
+# below:
+.git
+.gitignore
+
+# Node.js dependencies:
+node_modules/

node/chat/secured-app/README.md

@@ -0,0 +1,6 @@
+# Google Chat secured app as Google Workspace add-on
+
+This code sample demonstrates Google Workspace add-on request verification.
+
+Please see related guide about
+[request verification](https://developers.google.com/workspace/add-ons/guides/alternate-runtimes#validate-requests-from-google).

node/chat/secured-app/app.yaml

@@ -0,0 +1,19 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file specifies your Python application's runtime configuration.
+# See https://cloud.google.com/appengine/docs/managed-vms/python/runtime
+#
+
+runtime: nodejs20