security of web service with Google App Engine + Cloud Endpoints

[Deniz Yazar]

I am developing a web service(server) for my web application to allow users to get information about their account. After looking at every amazing Google Cloud product, I am thinking of doing the following to have a secure server on Google Cloud:

1. Having clients login with Firebase Auth on web app
   
2. Add security specifications in Cloud Endpoints to allow only firebase logged in users to access specific paths (running on a node.js server on Google App Engine)
   
3. Extract the ID token received on the server by decoding it to return users only their data
• Is simply having firebase security rules in the openAPI file in Cloud Endpoints enough to make sure only users logged in can access their own data?

I'm also limiting access to some paths for service accounts, after making that security rule in Cloud Endpoints, isn't there really anything else to do to make sure the system is secure. Is it really this easy to achieve a secure system? After this point, is it just my google account's security thats left to protect?

[Ani Hatzis]

Hi Deniz,

 

allow users to get information about their account

Is the only data shown to the user the information that has been extracted from the current user's ID token?

Or do you store additional custom user information that your endpoints will show to the current user, e.g. their user profile? If you have more user-related data in Firebase than what is already managed by Firebase Auth (in Firebase Users), you might (as usual) need rules in FB to prevent reading/writing other users' custom data in Realtime Database (or Cloud Firestore). In Firebase, all authenticated users can read/write the entire database by default, unless you setup rules to restrict access. And the access works outside of your App Engine app, so you would need the FB rules as additional protection when clients access FB directly.

Ani

[Deniz Yazar]

Hi Ani,

I already have firebase database rules but I am only worried about the security of Google App Engine and Cloud Endpoints side. I am wondering is it really this simple to achieve security. I get the ID token of the user in my API running on google app engine. Than I use admin privileges to get info of that user ID I extracted from the token. I need to make sure that userID cannot be manipulated in the token. Can I be sure that the id I extract from the token is safe?

[Katayoon (Cloud Platform Support)]

Hi Deniz,

I should add that here you can get a good grasp of the measures Google Cloud have taken to assure the customers on trust and security. In the Security Resources you may explore helpful resources to study, like the whitepaper on “Google’s approach to security and compliance for Google Cloud Platform” which addresses Data Access and Restrictions as well.

[Ani Hatzis]

Yes, Deniz, I believe so, but just to be sure we are talking about the same "user ID" or more precise, how it is extracted: For Cloud Endpoints handlers in App Engine the implementation can be really simple and safe. If you implement the handler in Node.js (flexible environment) your handler reads the request's HTTP header X-Endpoint-API-UserInfo to retrieve current user information as JSON object, including the user ID. I assume that's what you intent to implement and you can rely on the user information retrieved from this header (see earlier reply by Katayoon). If you intent to use the Authorization header instead, read my PS below. You might want your implementation to also check if the hosted domain is the same as a particular G Suite domain though, or apply whatever custom access control you need additionally (roles, custom claims etc.).

Other than that, as always keep tight control of user access to your GCP resources (via IAM in Cloud Console) and an eye on Audit Log, and you should be safe.

Ani

PS: Theoretically, your handler could (instead of X-Endpoint-API-UserInfo) access the original HTTP Authorization header of the request (if I remember correctly, Cloud Endpoints ESP/OpenAPI makes it available to the handler) to validate the ID token and extract user information. But safely validating a JSON Web Token (JWT) is not trivial, hence that anyone could send a fake ID token to your endpoint. Therefor I assume that's not what you plan to do. Handlers outside of Cloud Endpoints or even outside of App Engine might need to (partially) implement their own token validation, but I would avoid this wherever I can. For everyone who is interested: a very general platform-agnostic documentation is provided by Google Identity Platform: OpenID Connect - Validating an ID Token.