I have two GAS scripts. One of them is GSheets add-on another is Web App. The web app has doGet and doPost implemented. doGet returns custom HTML login screen. This screen is called from the GSheet script. After user logs into the web app I execute a doPost call to web app from the GSheet script to transform some data and return it as a JSON content.

The Web App is published with the following permissions

I need to run it as the "User accessing the web app" since I access user's drive and UserProperties service from the Web App

When the doGet is executed for the first time from the Gsheets script the web app script request users permissions with the following OAuth scopes

• "https://www.googleapis.com/auth/script.external_request"
• "https://www.googleapis.com/auth/script.storage"
• "https://www.googleapis.com/auth/drive"

User grants it and the Login page is rendered and works great.

When I execute the doPost call from the GSheet script I use

UrlFetchApp.fetch('https://script.google.com/macros/s/<...>/exec', options)

The options object contains the Authorization: 'Bearer ' + ScriptApp.getOAuthToken(); basically user authorization of the GSheets script.

Everything was working great until yesterday. Now when I do the doPost call from the GSheets script I get the following HTML as a response.

Any ideas what is wrong here and why it stopped working without any changes? Perhaps some GAS update?

EDIT: If I share the source code with the user who runs the scripts the issue is gone. I believe the issue could be related.