Limit access to Google App Engine Endpoints

0
votes

What I'd like to do is limit access to my service endpoints to only the web app deployed on Google App Engine, so, access from only some-app-id.appspot.com and the domain mapped to it, mymappeddomain.com. I also do not want a user to login in order for the APIs to work. So, basically I want the API to only be accessible to the JavaScript code hosted in the same Google App Engine app instance, without having users login to use the service. Ideally also my API is not viewable in the API Explorer.

I've researched this a bit, and found a few articles (sample code, walk through), but haven't had success applying them. Also, it seems that all the solutions seem to still require a user to login. I've created a web application client id using my Google Developer Console.

The endpoint is written in Go and deployed to Google App Engine. It's similar to this:

package my
import ( ... "github.com/GoogleCloudPlatform/go-endpoints/endpoints" ... )

func (ms *MyService) ListData(c endpoints.Context, r *MyRequest) (*MyResponse, error) {
_, err := endpoints.CurrentBearerTokenUser(c, 
    []string{ endpoints.EmailScope },
    []string{ "some-long-id-matching-what-is-used-in-javascript.apps.googleusercontent.com" })

if err != nil {
    log.Printf("auth failed")
    return nil, err
}
...

My JavaScript looks like:

var app = angular.module('myApp', ['ngRoute', 'angular-google-gapi']);

app.run(['$window', 'GAuth', 'GApi', function ($window, GAuth, GApi) {
  var CLIENT = 'some-long-id-matching-what-is-used-in-go.apps.googleusercontent.com';
  var BASE;

  if($window.location.hostname === 'localhost') {
    BASE = '//localhost:8080/_ah/api';
  } else {
    BASE = 'https://my-app-id.appspot.com/_ah/api';
  }

  GApi.load('myservice', 'v1', BASE);
  GAuth.setClient(CLIENT);
  GAuth.setScopes('https://www.googleapis.com/auth/userinfo.email');

  GAuth.checkAuth().then(function () {
    console.log('authenticated');
  }, function () {
    console.log('authentication issue');
  });
}]);

When I run this app from a browser, I see the following errors in the JavaScript console:

angular-google-gapi.min.js:7 myservice v1 api loaded
https://content.googleapis.com/oauth2/v2/userinfo Failed to load resource: the server responded with a status of 401 (OK)
app.js:24 authentication issue

I'd love suggestions on how to make this work. Thank you in advance.

2
google-app-enginegoogle-oauthgoogle-cloud-endpoints

2 Answers

0
votes

GAuth.checkAuth() it's just a method to test if the user is already sign-in your application and autoconnect the user if it's possible. To login for the first time, you must use the method GAuth.login(). See example there : https://github.com/maximepvrt/angular-google-gapi/tree/gh-pages

0
votes

I think what might work for you is to simply set an 'Access-Control-Allow-Origin' header in each of your endpoint handlers to block cross-origin requests [1]. This is the normal idiom for locking down some resource to Javascript clients by domain.

[1] http://enable-cors.org/server_appengine.html