如何保护被称为任务的Google云端点方法?

时间:2021-07-19 22:52:55

I have an android app talking to my Google cloud endpoints backend.

我有一个Android应用程序与我的Google云终端后端交谈。

In one of the endpoint methods I'm spinning off a "task" pushed to the queue.

在其中一个端点方法中,我正在关闭推送到队列的“任务”。

The task is handled by another endpoint method e.g. "/taskendpoint/doSomeWork"

该任务由另一个端点方法处理,例如“/ taskendpoint / doSomeWork”

I've secured this endpoint method(that handles the task functionality) by limiting access to "/_ah/spi/taskendpoint/*" to "admin users" only as has been advised here - https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks

我已经通过将对“/ _ah / spi / taskendpoint / *”的访问权限限制为“管理员用户”来保护此端点方法(处理任务功能),如此处所建议的那样 - https://developers.google.com/ AppEngine上/文档/ JAVA /任务队列/概述推#Java_Securing_URLs_for_tasks

I've checked that from the browser and everything works as expected allowing only admin-users to access the url.

我已经从浏览器检查过,一切都按预期工作,只允许管理员用户访问网址。

However, the another problem now is that the same task endpoint and methods are visible in the Google endpoint API explorer in the browser and anyone can enter values here and play around with the task methods. How do I make this method invisible in the API explorer as this method is needed only by the task ?

但是,现在的另一个问题是,在浏览器中的Google端点API资源管理器中可以看到相同的任务端点和方法,任何人都可以在此处输入值并使用任务方法。如何在API资源管理器中隐藏此方法,因为此方法仅由任务需要?

Also, although my app uses OAuth authentication but it is for authenticating android clients and in this case it is only an endpoint method calling another endpoint method via the task.

此外,虽然我的应用程序使用OAuth身份验证,但它用于验证Android客户端,在这种情况下,它只是一个端点方法通过任务调用另一个端点方法。

I couldn't find a lot of documentation around this, so I'd appreciate any help

我找不到很多关于此的文档,所以我很感激任何帮助

2 个解决方案

#1


1  

This is how I finally solved the overall problem of blocking access to my task url to any outside requests -

这就是我最终解决阻止访问我的任务网址到任何外部请求的整体问题 -

First, Block the "_ah/spi" access to the task url using https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks (already mentioned in the original post)

首先,使用https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks阻止“_ah / spi”访问任务网址(已在原帖中提及)

Second, now to block access to the "_ah/api" (which was the main issue) request to the task url that comes in through the API explorer, this is what I did -

其次,现在要阻止访问通过API资源管理器进入的任务URL的“_ah / api”(这是主要问题)请求,这就是我所做的 -

add a HttpServletRquest to the endpoint method and check for any task related header e.g. "X-AppEngine-QueueName"

将HttpServletRquest添加到端点方法并检查任何与任务相关的标头,例如“X-AppEngine上,QUEUENAME”

As per documentation, GAE ensures only requests emanating from tasks contain these headers and no other request will contain these headers.

根据文档,GAE确保只有来自任务的请求才包含这些标头,其他任何请求都不会包含这些标头。

Therefore, when you call the method from the API explorer, these headers are null and you can throw an exception for such requests received which are not coming from tasks. A short code sample give below -

因此,当您从API资源管理器调用该方法时,这些标头为空,您可以为收到的此类请求抛出异常,这些请求不是来自任务。下面是一个简短的代码示例 -

@ApiMethod(name = "sendMessage", httpMethod = HttpMethod.POST)
public void sendMessage(HttpServletRequest req, @Named("messageText") String MessageText)
{
    String str = req.getHeader("X-AppEngine-QueueName");
    if(str==null)
    {
        // throw invalid request exception here 
    }

...

...

#2


0  

1) Add a user parameter to method for auth

1)将用户参数添加到auth的方法

@ApiMethod(name = "test", path = "myApi/test",
          scopes = {Constants.EMAIL_SCOPE},
            clientIds = {Constants.WEB_CLIENT_ID, 
                     Constants.ANDROID_CLIENT_ID, 
                     com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
                     audiences = {Constants.ANDROID_AUDIENCE})
  public User test(User user) throws UnauthorizedException    {

      if (user == null) throw new UnauthorizedException("User not valid!");   

      return user;
  }

2) Generate a token

2)生成令牌

https://developers.google.com/accounts/docs/OAuth2WebServer

https://developers.google.com/accounts/docs/OAuth2WebServer

3) use the token created previously

3)使用先前创建的令牌

GoogleCredential credential = new GoogleCredential().setAccessToken(accessToken);

GoogleCredential凭证=新的GoogleCredential()。setAccessToken(accessToken);

https://code.google.com/p/google-api-java-client/wiki/OAuth2

https://code.google.com/p/google-api-java-client/wiki/OAuth2

#1


1  

This is how I finally solved the overall problem of blocking access to my task url to any outside requests -

这就是我最终解决阻止访问我的任务网址到任何外部请求的整体问题 -

First, Block the "_ah/spi" access to the task url using https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks (already mentioned in the original post)

首先,使用https://developers.google.com/appengine/docs/java/taskqueue/overview-push#Java_Securing_URLs_for_tasks阻止“_ah / spi”访问任务网址(已在原帖中提及)

Second, now to block access to the "_ah/api" (which was the main issue) request to the task url that comes in through the API explorer, this is what I did -

其次,现在要阻止访问通过API资源管理器进入的任务URL的“_ah / api”(这是主要问题)请求,这就是我所做的 -

add a HttpServletRquest to the endpoint method and check for any task related header e.g. "X-AppEngine-QueueName"

将HttpServletRquest添加到端点方法并检查任何与任务相关的标头,例如“X-AppEngine上,QUEUENAME”

As per documentation, GAE ensures only requests emanating from tasks contain these headers and no other request will contain these headers.

根据文档,GAE确保只有来自任务的请求才包含这些标头,其他任何请求都不会包含这些标头。

Therefore, when you call the method from the API explorer, these headers are null and you can throw an exception for such requests received which are not coming from tasks. A short code sample give below -

因此,当您从API资源管理器调用该方法时,这些标头为空,您可以为收到的此类请求抛出异常,这些请求不是来自任务。下面是一个简短的代码示例 -

@ApiMethod(name = "sendMessage", httpMethod = HttpMethod.POST)
public void sendMessage(HttpServletRequest req, @Named("messageText") String MessageText)
{
    String str = req.getHeader("X-AppEngine-QueueName");
    if(str==null)
    {
        // throw invalid request exception here 
    }

...

...

#2


0  

1) Add a user parameter to method for auth

1)将用户参数添加到auth的方法

@ApiMethod(name = "test", path = "myApi/test",
          scopes = {Constants.EMAIL_SCOPE},
            clientIds = {Constants.WEB_CLIENT_ID, 
                     Constants.ANDROID_CLIENT_ID, 
                     com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
                     audiences = {Constants.ANDROID_AUDIENCE})
  public User test(User user) throws UnauthorizedException    {

      if (user == null) throw new UnauthorizedException("User not valid!");   

      return user;
  }

2) Generate a token

2)生成令牌

https://developers.google.com/accounts/docs/OAuth2WebServer

https://developers.google.com/accounts/docs/OAuth2WebServer

3) use the token created previously

3)使用先前创建的令牌

GoogleCredential credential = new GoogleCredential().setAccessToken(accessToken);

GoogleCredential凭证=新的GoogleCredential()。setAccessToken(accessToken);

https://code.google.com/p/google-api-java-client/wiki/OAuth2

https://code.google.com/p/google-api-java-client/wiki/OAuth2