Google App Engine inter module communication authorization (python)

[Diego Fernandez]

Hello,

citing http://stackoverflow.com/questions/30237946/google-app-engine-inter-module-communication-authorization#comment49814138_30237946 the problem I have is that in the Docs (communication between modules) it says:

You can configure any manual or basic scaling module to accept requests from other modules in your app by restricting its handler to only allow administrator accounts, specifying login: admin for the appropriate handler in the module's configuration file. With this restriction in place, any URLFetch from any other module in the app will be automatically authenticated by App Engine, and any request that is not from the application will be rejected.

And this is exactly the configuration I have for my module called "api1". In my app.yaml file I have:

# can accept requests from other modules. with login: admin and they are authenticated automatically.
- url: /.*
  script: _go_app
  login: admin

I'm trying now, from a different module in the same app, to make a service call as suggested in the doc using urfetch.fetch() method, and my implementation is:

from google.appengine.api import urlfetch, modules, app_identity
from rest_framework.response import Response, status

@api_view(['POST'])
def validate_email(request):
    url = "http://%s/" % modules.get_hostname(module="api1")
    payload = json.dumps({"SOME_KEY":"SOME_VALUE"})

    appid = app_identity.get_application_id()
    result = urlfetch.fetch(url + "emails/validate/document",
                            follow_redirects=False,
                            method=urlfetch.POST,
                            payload=payload,
                            headers={"Content-Type":"application/json")

    return Response({
        'status_code': result.status_code,
        'content': result.content
    }, status=status.HTTP_200_OK)

According to the documentation, having specified the follow_redirects=False, fetch() will automatically insert an header in my call (I've even tried to add it explicitly) with the "X-Appengine-Inbound-Appid" : MY-APP-ID.

Unfortunately I get as result of the fetch call a 302 redirect, if I follow it, it's a redirect to the authentication form. This occurs in Development server as well as in Production.

Can you please let me know how can I call my api1 service inside my validate_email document (belonging to a different module in the same app)?

Is there another way to authenticate the call since it seems the way suggested inside the documentation is not working?

Thank you

[Nick (Cloud Platform Support)]

I can confirm this is occurring, and I've reproduced the issue. The issue is being tracked over in theApp Engine public issue tracker. Follow there for any updates.

For now, I think it's much better to be manually-inspecting the X-Appengine-Inbound-Appid header, as this is managed by the infrastructure and can't be spoofed.

You could also implement OAuth, but that adds overhead you may not want or need on a small app.

I've also posted the same as the above in the stackoverflow thread mentioned.