How to verify that Google PubSub is hitting my endpoint and not another actor

0
votes

I have a fully functional endpoint that will receive a POST request from a PubSub subscription when a change has been detected in a user's Gmail inbox. Inside of the endpoint, I can successfully extract everything I need for my purposes.

The problem is that I have no idea who is actually hitting my endpoint. A bad actor could just pass me the same payload that Gmail would.

Is there a way for me to verify that the payload that I'm receiving is actually from Google/Gmail/PubSub?

On the Gmail side: It seems the payload that is sent to my endpoint is unable to be changed and will always be of the form as detailed here: https://developers.google.com/gmail/api/guides/push

On the PubSub side: You can create your own topic and add key/value pairs as custom attributes to it, but it seems I wouldn't be able to modify the payload that Gmail is publishing to my topic. https://cloud.google.com/pubsub/docs/publisher

Any insight would be greatly appreciated thank you!

1
gmail-apigoogle-cloud-pubsub

1 Answers

1
votes

The suggested way to do this is to include a secret as a url parameter for your endpoint. You could then reject any urls which do not include this secret. https://cloud.google.com/pubsub/docs/faq#security

This could be configured as part of your normal push endpoint when you set up a push subscription.

If you wish to add extra metadata to the provided gmail messages, you could always set up a cloud dataflow job or cloud function as a subscriber directly from the gmail topic, and republish on a second topic which your external endpoint will read from.

-Daniel