Custom Authenication(User Model) for Cloud Endpoints-Python

Question

I am developing an Android application with a GAE backend, for sessions etc. I want to use Google Cloud Endpoint and develop an API with custom authentication user model. I dont want to use the google's oauth. I want to implement a simple email/pass user authentication model with a session based token. I have no experience on GAE whatsoever. I have worked in python and it's frameworks(django, flask, etc).

I have looked for a sample project of this kind for past week(with no luck).

Can someone please provide me with sample code/resource on how to implement such an endpoint with session management and csrf protection along with ssl?

Ps: If you think cloud endpoints is not a good approach for my application(server backend) then please direct me to a source that may aid me in creating my own RESTful api with JSON encoding + crsf-protection and session management.

I have already seen the following but none of them have a detailed solution:

• Custom Authentication for Google Cloud Endpoints (instead of OAuth2)
• Google App Engine: Endpoints authentication when custom auth or Open ID is used
• AppEngine Cloud Endpoints and custom Users service

Answer 1

You're in for a ride. It's not a simple process, but I've managed to do just what you're looking for--albeit in a slightly hackish way.

First, there's a boilerplate project for GAE (in Python) that implements a custom email/pwd login system using webapp2's extras: http://appengine.beecoss.com/

It follows the guidelines for setting up custom authentication detailed in this blog post: http://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/

This project will set things up so that your user will start a session upon login. Now, in order to access the user information on this session in your endpoints, you'll follow the instructions to that first StackOverflow link you posted.

The key, after following the previous steps, is to match the session key in your endpoints to the session key in the config file of the boilerplate code. Then, you'll be able to get which user made the request and follow through with the endpoint call if they're validated:

    self.get_user_from_cookie()

    if not self.user:
        raise endpoints.UnauthorizedException('Invalid token.')

It is incredibly ridiculous that this is how it works for custom authentication, so if you're used to Django and would like to implement your app that way, DO IT. It was "too late to turn back now" for me, and I despise Google for only documenting authentication schemes that work for Google account holders only.

OP, just use Django on GAE and save yourself the frustration. I'm sure there's plenty of quick integration with mobile apps that the Django community can provide.

No one wants to force their app users to have Google accounts in order to log in, Google. Stop it.