Process to Authenticate WebAPI of GAE
56 views
Skip to first unread message
udit sharma
Mar 9, 2018, 2:09:25 AM3/9/18
to Google App Engine
Hey All,
I have an application running using Firebase and GAE. Using firebase to authenticate users and GAE to deploy the backend logic code. Firebase Real-time database is acting as a database for us. Calls between GAE and Firebase database is happening using Firebase Database Secrets. I have created WebAPI which my application front end is using for data requirements. My API is public now, anyone with the URL can call it and get the result. Though the user authentication is happening using Firebase OAuth, the API can be used by anyone who gets to know the parameters and endpoints. I want to secure my WebAPI that can only be used by the application and some specific IP address for testing purpose.
What shall I use to secure that? Firebase uuid which is unique to the specific users? if anyone gets that uuid of his account ( anyhow ) it won't be secured.
Any other way to secure that?
Any help would be appreciated!
Thanks
What shall I use to secure that? Firebase uuid which is unique to the specific users? if anyone gets that uuid of his account ( anyhow ) it won't be secured.
Any other way to secure that?
Any help would be appreciated!
Thanks
Kenworth (Google Cloud Platform)
Mar 9, 2018, 12:37:30 PM3/9/18
to Google App Engine
It seems Firebase Database Security Rules API can be used to set rules to limit/grant access to their DB. For example, developers can restrict access to only emails coming from your domain or craft a rule which only allows users if their email is whitelisted.
For GAE, users can restrict IP addresses using Firewall rules or configure your app to only allow access by admin users (GAE Standard only).
udit sharma
Mar 12, 2018, 6:04:59 AM3/12/18
to Google App Engine
Hi Kenworth,
Thanks for the reply.
As I said I am using the Firebase Database secrets to make calls between GAE and Firebase Database. I do not have any problem over that, My problem is the Hosted API on GAE. That API is not secure, anyone with the API endpoints and URL structure can query it on their browsers. So I want to secure it so that it can be only be accessed by the iOS application on phone and by some IP address. I got your only solution, I can restrict that using Firewalls but by doing that my application also cannot use it too.
Hope I am clearly describing the problem.
Thanks
Kenworth (Google Cloud Platform)
Mar 12, 2018, 12:15:13 PM3/12/18
to Google App Engine
Is your app running on GAE Standard? If so, you can use the flag "login: admin" to restrict access to admin users only. This is separate from the Firewall solution.
Reply all
Reply to author
Forward
0 new messages