如何使App Engine的HTTP URL处理程序仅在内部可调用?

huangapple go评论76阅读模式
英文:

How can I make App Engine HTTP URL handlers callable internally only?

问题

我有一组具有HTTP URL处理程序的不同模块。某些模块处理程序仅设计为内部访问,并且我使用urlfetch从其他模块调用它们。我如何确保这些处理程序无法从更广泛的互联网访问?

任务队列通过允许您在其URL的app.yaml中添加login: admin来解决此问题。这样可以确保只能通过内部任务队列函数调用来调用任务队列。我是否可以对我的处理程序做类似的操作?我不想在API和其使用者之间共享一个密钥。

英文:

I have a set of different modules with HTTP URL handlers. Some module handlers are designed only for internal access and I use urlfetch to call them from other modules. How can I ensure that these handlers are not callable from the wider internet?

Task queues get around this by allowing you to add login: admin to their URL app.yaml. This allows you to be sure that a task queue can only be invoked via an internal task queue function call. Is there something similar I can do with my handlers? I don't want to have to share a secret between the API and its consumer.

答案1

得分: 1

GAE内置了管理员身份验证功能:

developers.google.com/appengine/docs/python/users/adminusers

英文:

GAE has built-in admin auth:

developers.google.com/appengine/docs/python/users/adminusers

答案2

得分: 0

在您的URL处理程序中,读取X-Appengine-Inbound-Appid头部的值。它将填充为通过其URL获取方法调用处理程序的App Engine应用程序的名称。确保进行调用的URL获取方法遵循重定向。

点击此处查看相关文档。

以下是我所寻找的Go处理程序:

func internalOnlyHandler(h http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        c := appengine.NewContext(r)
        appID := appengine.AppID(c)
        headerAppID := r.Header.Get("X-Appengine-Inbound-Appid")
        if appID == headerAppID {
            h.ServeHTTP(w, r)
        } else {
            http.Error(w, "403 forbidden", http.StatusForbidden)
        }
    })
}
英文:

In your URL handler read the X-Appengine-Inbound-Appid header value. It will be populated with the name of your App Engine app that called the handler via its url fetch method. Make sure the url fetch method that makes the call does not follow redirects.

Click here for documentation associated with this.

Here's my Go handler that achieves what I was looking for:

func internalOnlyHandler(h http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        c := appengine.NewContext(r)
        appID := appengine.AppID(c)
        headerAppID := r.Header.Get("X-Appengine-Inbound-Appid")
        if appID == headerAppID {
            h.ServeHTTP(w, r)
        } else {
            http.Error(w, "403 forbidden", http.StatusForbidden)
        }
    })
}

huangapple
  • 本文由 发表于 2014年6月12日 00:13:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/24167751.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定