Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication in Google App Engine: app.yaml vs. python code

I am writing a small app that uses the GAE. I have parts of my app that are for administrative use only. I have two options using login: admin option in the app.yaml or google.appengine.api.users.is_current_user_admin() in python code. The basic authentication is sufficient for my case.

Which solution is better?

The advantage of using app.yaml is that the python code is a bit cleaner. Plus it may be the case that app.yaml may be more efficient, since it can be handled in the server. (In worst case it is equal in terms of performance.) The only drawback is that I do not display a custom page, but I don't care to much for that.

I am unsure if my assertions are correct.

like image 593
rioki Avatar asked Dec 08 '22 02:12

rioki


2 Answers

I would say your assertions are correct. Let's say you have the following in your app.yaml:

- url: /admin/.*
  script: admin.py
  login: admin

If you want everything in admin.py to be restricted to administrators, the configuration above ought to be more performant: you can fail unauthorized requests without ever spinning up admin.py.

Checking users.is_current_user_admin() is useful when you want to define more granular logic and behavior. Perhaps you have a handler that should be available whether the user is an admin, a non-admin, or not logged in, you just need to check their current state so you can return the appropriate HTML.

like image 186
Drew Sears Avatar answered Feb 21 '23 07:02

Drew Sears


If you have handlers which are only accessible to admins, then app.yaml certainly seems like the easiest way to secure the pages those handlers expose.

However, if you have some handlers which serve both admin and non-admin views (e.g., your main.py), then you'll have to use something more fine-grained than app.yaml (e.g., google.appengine.api.users.is_current_user_admin()).

I'd expect performance to be roughly equivalent once your application is running (a negligible fraction of the time it takes to load your page).

like image 28
David Underhill Avatar answered Feb 21 '23 06:02

David Underhill