Cloud Endpoints HTTP Cookies

7
votes

I am implementing Cloud Endpoints with a Python app that uses custom authentication (GAE Sessions) instead of Google Accounts. I need to authenticate the requests coming from the Javascript client, so I would like to have access to the cookie information.

Reading this other question leads me to believe that it is possible, but perhaps not documented. I'm not familiar with the Java side of App Engine, so I'm not quite sure how to translate that snippet into Python. Here is an example of one of my methods:

class EndpointsAPI(remote.Service):
  @endpoints.method(Query_In, Donations_Out, path='get/donations',
                    http_method='GET', name='get.donations')
  def get_donations(self, req):
    #Authenticate request via cookie

where Query_In and Donations_Out are both ProtoRPC messages (messages.Message). The parameter req in the function is just an instance of Query_In and I didn't find any properties related to HTTP data, however I could be wrong.

2
google-app-enginegoogle-cloud-endpoints

2 Answers

14
votes

First, I would encourage you to try to use OAuth 2.0 from your client as is done in the Tic Tac Toe sample.

Cookies are sent to the server in the Cookie Header and these values are typically set in the WSGI environment with the keys 'HTTP_...' where ... corresponds to the header name:

http = {key: value for key, value in os.environ.iteritems() 
        if key.lower().startswith('http')}

For cookies, os.getenv('HTTP_COOKIE') will give you the header value you seek. Unfortunately, this doesn't get passed along through Google's API Infrastructure by default.

UPDATE: This has been enabled for Python applications as of version 1.8.0. To send cookies through, specify the following:

from google.appengine.ext.endpoints import api_config

AUTH_CONFIG = api_config.ApiAuth(allow_cookie_auth=True)

@endpoints.api(name='myapi', version='v1', auth=AUTH_CONFIG, ...)
class MyApi(remote.service):
    ...

This is a (not necessarily comprehensive list) of headers that make it through:

  • HTTP_AUTHORIZATION
  • HTTP_REFERER
  • HTTP_X_APPENGINE_COUNTRY
  • HTTP_X_APPENGINE_CITYLATLONG
  • HTTP_ORIGIN
  • HTTP_ACCEPT_CHARSET
  • HTTP_ORIGINALMETHOD
  • HTTP_X_APPENGINE_REGION
  • HTTP_X_ORIGIN
  • HTTP_X_REFERER
  • HTTP_X_JAVASCRIPT_USER_AGENT
  • HTTP_METHOD
  • HTTP_HOST
  • HTTP_CONTENT_TYPE
  • HTTP_CONTENT_LENGTH
  • HTTP_X_APPENGINE_PEER
  • HTTP_ACCEPT
  • HTTP_USER_AGENT
  • HTTP_X_APPENGINE_CITY
  • HTTP_X_CLIENTDETAILS
  • HTTP_ACCEPT_LANGUAGE
10
votes

For the Java people who land here. You need to add the following annotation in order to use cookies in endpoints:

@Api(auth = @ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE))

source

(Without that it will work on the local dev server but not on the real GAE instance.)