英文:
How can I make App Engine HTTP URL handlers callable internally only?
问题
我有一组具有HTTP URL处理程序的不同模块。某些模块处理程序仅设计为内部访问,并且我使用urlfetch从其他模块调用它们。我如何确保这些处理程序无法从更广泛的互联网访问?
任务队列通过允许您在其URL的app.yaml
中添加login: admin
来解决此问题。这样可以确保只能通过内部任务队列函数调用来调用任务队列。我是否可以对我的处理程序做类似的操作?我不想在API和其使用者之间共享一个密钥。
英文:
I have a set of different modules with HTTP URL handlers. Some module handlers are designed only for internal access and I use urlfetch to call them from other modules. How can I ensure that these handlers are not callable from the wider internet?
Task queues get around this by allowing you to add login: admin
to their URL app.yaml
. This allows you to be sure that a task queue can only be invoked via an internal task queue function call. Is there something similar I can do with my handlers? I don't want to have to share a secret between the API and its consumer.
答案1
得分: 1
GAE内置了管理员身份验证功能:
developers.google.com/appengine/docs/python/users/adminusers
英文:
GAE has built-in admin auth:
developers.google.com/appengine/docs/python/users/adminusers
答案2
得分: 0
在您的URL处理程序中,读取X-Appengine-Inbound-Appid
头部的值。它将填充为通过其URL获取方法调用处理程序的App Engine应用程序的名称。确保进行调用的URL获取方法不遵循重定向。
以下是我所寻找的Go处理程序:
func internalOnlyHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
c := appengine.NewContext(r)
appID := appengine.AppID(c)
headerAppID := r.Header.Get("X-Appengine-Inbound-Appid")
if appID == headerAppID {
h.ServeHTTP(w, r)
} else {
http.Error(w, "403 forbidden", http.StatusForbidden)
}
})
}
英文:
In your URL handler read the X-Appengine-Inbound-Appid
header value. It will be populated with the name of your App Engine app that called the handler via its url fetch method. Make sure the url fetch method that makes the call does not follow redirects.
Click here for documentation associated with this.
Here's my Go handler that achieves what I was looking for:
func internalOnlyHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
c := appengine.NewContext(r)
appID := appengine.AppID(c)
headerAppID := r.Header.Get("X-Appengine-Inbound-Appid")
if appID == headerAppID {
h.ServeHTTP(w, r)
} else {
http.Error(w, "403 forbidden", http.StatusForbidden)
}
})
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论