Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

API Key Restriction for Google API Called from URL Fetch within App Engine

Tags:

python

google-app-engine

google-cloud-storage

google-cloud-endpoints

I have an API Key for a Google API that I would like to use in all my requests to it. Some of these requests will originate from within a Google App Engine (Python 2.7) application. I had planned to use the UrlFetch library to complete the POST request, basically as follows:

headers = {'Content-Type': 'application/json'}
payload = {'longUrl': request.long_url}
result = urlfetch.fetch([API_REQUEST_URL],
                method=urlfetch.POST,
                payload=json.dumps(payload),
                headers=headers)

json_result = json.loads(result.content)

I had set a referrer restriction on my API Key to *.[my-app].appspot.com/* with the hope that this would protect my API Key from unauthorized use and negate the need to update an IP-based key restriction (as App Engine IPs change all the time).

This approach as failed me though, because it seems that urlfetch does NOT specify a value for referrer on its own. I assume I could add my own referrer, but then so could anyone else. The approach isn't very secure.

What is the best practice? How should I restrict the key given that I'm using urlfetch from within App Engine? If I do use an HTTP Referrer restriction, which address do I use?

Many thanks.

like image 306
HondaGuy Avatar asked Oct 17 '22 23:10

HondaGuy

2 Answers

You got like this error message?

Requests from referer <empty> are blocked.

urlfetch seems not to attach Refer automatically, so you should set Refer in your request header.

headers = {'Content-Type': 'application/json','Referer': '*.[my-app].appspot.com/*'}
like image 159
kasajei Avatar answered Oct 29 '22 20:10

kasajei

As you observed the referrer header can be faked, so setting a referrer restriction on your API Key is rather useless to start with.

But you can add a check based on the X-Appengine-Inbound-Appid header, which is sanitized by the GAE infrastructure and precisely identifies the app. From Issuing a request to another App Engine app:

When issuing a request to another App Engine app, your App Engine app must assert its identity by adding the header X-Appengine-Inbound-Appid to the request. If you instruct the URL Fetch service to not follow redirects, App Engine will add this header to requests automatically.

To instruct the URL Fetch service to not follow redirects, set the fetch follow_redirects parameter to False.

Note: If you are making requests to another App Engine application, use its appspot.com domain name rather than a custom domain for your app.

like image 43
Dan Cornilescu Avatar answered Oct 29 '22 20:10

Dan Cornilescu
Sign in to Comment

Related questions

Is there any difference between closing a cursor or a connection in SQLite?
Generating data from meshgrid data (Numpy)
Multiple python Behave environment Setup files
Testing students' code in Jupyter with a unittest
Restoring specific TensorFlow variables to a specific layer (Restore by name)
String encode/decode issue - missing character from end
How to pass through a list of queries to a pandas dataframe, and output the list of results?
Can this python function be vectorized?
Python searching through columns
How is python storing strings so that the 'is' operator works on literals?
Format certain JSON objects on one line
Watch request in gmail API doesn't work
Patch method only in one module
How can I ensure that a function takes a certain amount of time in Go?
Cannot filter Gmail API push notifications [duplicate]
Forbidden (403) error when calling the callback URL in django
How to use a GraphQL schema for JSON Schema-like data validation?
Saving a stream while playing it using LibVLC
Pandas aggregate with dynamic column names
Generate all subsets of size k (containing k elements) in Python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!