Restricting access to logged in users for static files in google app engine app by way of yaml rules fails

huangapple go评论95阅读模式
英文:

Restricting access to logged in users for static files in google app engine app by way of yaml rules fails

问题

我尝试使用在app.yaml文件中使用"login: required"规则的方式来限制访问被标记为静态的URL。我的意图是在用户加载dist/index.html文件之前,先对用户进行身份验证。

令我惊讶的是,用户没有被提示登录,而是直接从静态文件夹中获取dist/index.html文件和其他所有请求的文件,就好像没有任何限制规则存在一样。

这是我的app.yaml文件内容:

application: helloworld
version: 1
runtime: go
api_version: go1

handlers:

  • url: /
    static_files: dist/index.html
    upload: dist/index.html
    secure: always
    login: required - 这是我认为失败的地方

  • url: /(..(txt|html|json|png|js|log|md|css|ico))
    static_files: dist/\1
    upload: dist/(.
    .(txt|html|json|png|js|log|md|css|ico))
    secure: always
    login: required

  • url: /.*
    script: _go_app
    secure: always
    login: required

我上传到appengine的文件夹结构如下:

app.yaml
index.yaml
xhr_responses.go - 这是未来预期的非静态AJAX部分
dist/
index.html
其他很多静态文件

英文:

I tried to use the documented way of restricting access to urls marked as static by way of login: required rules in the app.yaml file. My intention is to have access to script urls handled by the go programming language by xmlhttprequests, but the first step of authenticating the user before she can load the file dist/index.html fails.

Surprisingly for me the user is not prompted to login, instead receives the dist/index.html file and all other files it asks for from the static folder as if no restricting rule were present.

This is my app.yaml file:

application: helloworld
version: 1
runtime: go
api_version: go1

handlers:

- url: /
  static_files: dist/index.html
  upload: dist/index.html
  secure: always 
  login: required - this is what fails as far as I'm concerned

- url: /(.*\.(txt|html|json|png|js|log|md|css|ico))
  static_files: dist/
  upload: dist/(.*\.(txt|html|json|png|js|log|md|css|ico))
  secure: always 
  login: required

- url: /.*
  script: _go_app
  secure: always
  login: required

The folder that I uploaded to appengine looks like this:

app.yaml
index.yaml
xhr_responses.go - this is the intended future non static AJAX part
dist/
 index.html
 loads of other stuff that is static

答案1

得分: 1

“login:”处理程序选项在.yaml配置文件中依赖于Google的身份验证,可以使用cookie进行持久化,并在浏览器重新启动后保留。

为了正确测试身份验证,您需要使用一个全新的隐身浏览器会话,或者前往Google的其中一个网站,并确保您未登录(如果需要,请明确从所有Google帐户注销)后再进行测试。

英文:

The 'login:' handler options in the .yaml config files rely on Google's authentication, which can be persisted using cookies and survive a browser restart.

To properly test the authentication you need to either use a fresh incognito browser session or go to one of the Google sites and ensure you're not logged in (explicitly log out from all Google accounts if needed) before testing.

答案2

得分: 0

显然,当我在实时的 Google 应用引擎上尝试一些东西时,我已经登录了,我只是忘记了这是它知道不要重定向访问到新的登录提示的方式。

英文:

Apparently I was signed in when trying stuff on the live google app engine, which I just forgot is the way it knows not to redirect access to a new login prompt.

huangapple
  • 本文由 发表于 2016年4月9日 02:57:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/36507250.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定