Properly Securing GAE Task Queue URLs (without using app.yaml)

Question

I want to secure my Task Queue URLs against malicious access.

In the views that the Task Queue requests I've got:

if not users.is_current_user_admin():
    return HttpResponse(status=403)

But my Task Queues are receiving 403 errors! I was under the impression from this GAE documentation that the Task Queue user was gauranteed to be an admin. What gives?

NOTE: I'm using DjangoNonRel so I can't specify the admin only url access in my app.yaml, I have to do it programmatically in the views.

Answer 1

Tasks can bypass login: admin restrictions, however users.is_current_user_admin() will still return false, as there is technically no current user.

Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:

handlers:    

- url: /tasks/.+
  script: main.py
  login: admin

- url: .*
  script: main.py

Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.

Answer 2

Your handlers can look for a task queue HTTP header, such as X-AppEngine-QueueName.

From official GAE docs :

Requests from the Task Queue service contain the following HTTP headers:

X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETA

These headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped.