Fall back to Drive export when Docs API returns 403 (Shared Drive / Workspace policy fix)#93
Merged
a-bonus merged 1 commit intoa-bonus:mainfrom Mar 23, 2026
Conversation
Some Google Workspace admins restrict third-party access to the Docs API while allowing the Drive API. In that case, docs.documents.get() returns 403 even for documents the user owns in a Shared Drive. When readDocument receives a 403 and the requested format is 'text', fall back to drive.files.export() with mimeType 'text/plain'. The Drive API is more permissive in enterprise environments and already handles Shared Drive access correctly elsewhere in the codebase. Fixes a-bonus#92, relates to a-bonus#33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In some Google Workspace organisations, admins restrict third-party OAuth app access to the Google Docs API while still allowing the Drive API. This causes
readDocumentto returnPermission denied(HTTP 403) even for documents the authenticated user owns in a Shared Drive.The Drive API already handles Shared Drive access correctly throughout this codebase (
supportsAllDrives: trueis set on all Drive API calls). The Docs API does not have an equivalent parameter, and cannot be used in these environments.Fix
When
docs.documents.get()returns 403 and the requested format istext, fall back todrive.files.export()withmimeType: 'text/plain'. This uses the Drive API instead and works in restricted Workspace environments.markdownandjsonformats still throw, since they require the full document structure from the Docs API.Changes
src/tools/docs/readGoogleDoc.ts: importgetDriveClient, add 403 fallback todrive.files.export()Testing
Verified manually against a Shared Drive document in a Workspace org where the Docs API is restricted:
Permission denied for doc (ID: ...)Fixes #92, relates to #33