CODEWITHSUNDEEP
google-app-enginegoogle-cloud-tasks
Phan Dinh
Phan Dinh

Reputation: 285

How to authenticate for Google Cloud App Engine task handlers

I have an App Engine worker that handles requests for my Google Cloud Tasks queue. How can I verify a request from my task queue, since it allows requests from any other host or client?

I try reading App Engine task request headers but I think it NOT enough for authenticating the request.

Further more, how can I verify a request from the same Google cloud project (like internal services)?

Upvotes: 0

Views: 2024

Answers (3)

Josh Heslin
Josh Heslin

Reputation: 36

It would also be possible to verify the IP address the request.

Such as;

router.get('/task-handler', (req,res) => {
  let ip = req.headers['x-appengine-user-ip']
  if (ip !== '0.1.0.2') {
    return res.sendStatus(401);
  }
  // trusted
})

Upvotes: 0

Averi Kitsch
Averi Kitsch

Reputation: 921

Using the request headers is the best way to authenticate the request is coming from Cloud Tasks. App Engine will strip headers from the request that try to mimic internal headers, like X-AppEngine-QueueName.

Unfortunately, in Python 3 there isn't a way to restrict to authenticated users like in Python 2.7 app.yaml.

Lastly if this doesn't suffice, I recommend adding/signing your own JWT to the request header and authenticating it in your App Engine handler.

Upvotes: 3

marian.vladoi
marian.vladoi

Reputation: 8066

The tutorial shared by Kolban is for HTTP Target task handlers. I understand that you are using App Engine task handlers.

App Engine task handlers does not support "oauthToken" and "oidcToken" fields link.

According to the official documentation you would have to secure you task handle URLs to prevent malicious external calls link.

For example:

 handlers:
 - url: /your-task
   script: worker.app
   login: admin

You can find more information: Creating App Engine task handlers

Upvotes: 0

Related Questions