How to secure a Google cloud endpoint method which is called as a task?

0
votes

I have an android app talking to my Google cloud endpoints backend.

In one of the endpoint methods I'm spinning off a "task" pushed to the queue.

The task is handled by another endpoint method e.g. "/taskendpoint/doSomeWork"

I've secured this endpoint method(that handles the task functionality) by limiting access to "/_ah/spi/taskendpoint/*" to "admin users" only as has been advised here - https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks

I've checked that from the browser and everything works as expected allowing only admin-users to access the url.

However, the another problem now is that the same task endpoint and methods are visible in the Google endpoint API explorer in the browser and anyone can enter values here and play around with the task methods. How do I make this method invisible in the API explorer as this method is needed only by the task ?

Also, although my app uses OAuth authentication but it is for authenticating android clients and in this case it is only an endpoint method calling another endpoint method via the task.

I couldn't find a lot of documentation around this, so I'd appreciate any help

2
androidgoogle-app-engineoauth-2.0google-cloud-endpoints
One workaround could be if I could know if the endpoint method was invoked by API Explorer and then just reject that request in code. Is there a way to know if the endpoint method was invoked by API explorer ? - user3034970
Yes, this is the solution. In your endpoint class you should have a line in the @Api portion at the top that looks like clientIds = {com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID, your_android_client_id}. Remove the api explorer item. - willlma
These fields are not used in the oauth structure for the task as the call to the task method is made from within the app engine and not an android client, auth is not being used.If auth is used, it would make it necessary to authenticate the task request as well, and there is no clean way to do that.Found an easier way to solve this below.. - user3034970

2 Answers

1
votes

This is how I finally solved the overall problem of blocking access to my task url to any outside requests -

First, Block the "_ah/spi" access to the task url using https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks (already mentioned in the original post)

Second, now to block access to the "_ah/api" (which was the main issue) request to the task url that comes in through the API explorer, this is what I did -

add a HttpServletRquest to the endpoint method and check for any task related header e.g. "X-AppEngine-QueueName"

As per documentation, GAE ensures only requests emanating from tasks contain these headers and no other request will contain these headers.

Therefore, when you call the method from the API explorer, these headers are null and you can throw an exception for such requests received which are not coming from tasks. A short code sample give below -

@ApiMethod(name = "sendMessage", httpMethod = HttpMethod.POST)
public void sendMessage(HttpServletRequest req, @Named("messageText") String MessageText)
{
    String str = req.getHeader("X-AppEngine-QueueName");
    if(str==null)
    {
        // throw invalid request exception here 
    }

...

0
votes

1) Add a user parameter to method for auth

@ApiMethod(name = "test", path = "myApi/test",
          scopes = {Constants.EMAIL_SCOPE},
            clientIds = {Constants.WEB_CLIENT_ID, 
                     Constants.ANDROID_CLIENT_ID, 
                     com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
                     audiences = {Constants.ANDROID_AUDIENCE})
  public User test(User user) throws UnauthorizedException    {

      if (user == null) throw new UnauthorizedException("User not valid!");   

      return user;
  }

2) Generate a token

https://developers.google.com/accounts/docs/OAuth2WebServer

3) use the token created previously

GoogleCredential credential = new GoogleCredential().setAccessToken(accessToken);

https://code.google.com/p/google-api-java-client/wiki/OAuth2