How do I protect urls I use internally for push queues in Google App Engine?

Question

I'm running Flask on GAE, and I'm working on implementing a push queue to run tasks for me in the background. Because GAE's push queues work by scheduling and sending http requests to my flask server, I'm concerned about my users guessing the urls I designated for internal use with my push queue. I thought about having the push queue send a secret key along with the requests, and have my server only execute the job if the key included in the request is correct, something like this:

taskqueue.add(url='/worker', params={'super_secret_key': 12345})

But I'm wondering if there's a more secure / better way to do this?

Thanks!

Answer 1

here is another way to do it that i think is more efficient. you can take advantage that appengine removes some request headers from external (ie users) requests. but it doesnt if the request is internal:

http://googlecloudplatform.blogspot.com/2015/07/Unit-Testing-cron-handlers-in-Google-App-Engine.html

look where it says: "Instead, the Cron Service sets a special request header -- X-AppEngine-Cron: true. This is a header that application code can fully trust, since App Engine removes such headers if they’re set in an external request."

you should be able to use the same principle when making yours calls. see these request headers that google sets on taskqueue calls:

https://cloud.google.com/appengine/docs/python/taskqueue/overview-push#task_request_headers

you wont need the admin login anymore, and note that its even more secure because it will only be possible to call from a task queue (thus would require a code change to tamper)

Answer 2

You can protect your task urls by configuring them in app.yaml to use admin login

- url: /worker
  ......
  login: admin