9

Is it possible to either turn off the api explorer completely or limit the access to it?

I noticed some logs in my app that come from failed requests executed from a browser. My api is only consumed by an Android app so the only place where they can come from is the api explorer. Also the api access is limited to 1 web and 1 android client id.

Gabriel Ittner
  • 1,162
  • 9
  • 22

3 Answers3

4

Unfortunately no. The API explorer works by using the Discovery Service associated with your API, which is not actually part of your backend, so you can't specify auth or visibility for those URIs.

The list method from the Discovery service is used to generate the list on the APIs Explorer app using your app as base:

discovery.apis.list:

your-app-id.appspot.com/_ah/api/discovery/v1/apis

When someone clicks one of the APIs from the list, the full discovery document is retrieved for that apiName and apiVersion using the getRest method from the Discovery service:

discovery.apis.getRest:

your-app-id.appspot.com/_ah/api/discovery/v1/apis/{apiName}/{apiVersion}/rest

bossylobster
  • 9,993
  • 1
  • 42
  • 61
  • Do you have any recommendations for an admin side of an application? Im seeing something like /_ah/spi/{service class name}.{method}.. Would it be ok to add multiple handlers matching /_ah/spi/.*? – 12345 Apr 20 '13 at 23:42
  • 1
    I would recommend that you implement the Admin part in the handler methods. `endpoints.api_server` is intended to produce a single handler for all your APIs. – bossylobster Apr 21 '13 at 18:10
  • 1
    But, how do I prevent someone to delete all my database (Datastore)? – InsaurraldeAP Dec 10 '13 at 00:07
1

If you are looking for ways to prevent the executing of the API, check out Cloud Endpoints: Control who can execute API through API Explorer

Community
  • 1
  • 1
sam
  • 777
  • 2
  • 6
  • 19
0

endpoints makes auth easy and you can get the current user. You should use auth to ensure people don't mess with your private apis - otherwise people could trace what kind of post or get requests you're sending anyway - auth is always a good idea rather than trying to keep your apis secret.

If you're building a secret product and you don't want your competitor to find out, you could perhaps use some obfuscation method on the backend and on your client which makes the apis unreadable.

Also a user messing with your apis shouldn't break your database - or if it does - it should only break it for the user that was being foolish. Having logic in your client for how apis are used so that the backend doesn't break is a bad idea - the backend apis should take care of themselves and not worry about how or why they are used and who by for what purpose.

Rusty Rob
  • 16,489
  • 8
  • 100
  • 116
  • I've seen folks say this, but can you point to an example where endpoints on GAE require authentication without a Google account (but just the client ID that's specified in the developer console)? For instance, in my case I have an API that I use from JavaScript, but I don't want others using my APIs... for example, one of my APIs returns the answers from a survey given a token. I don't want an arbitrary person using the API to dump all the responses to surveys, but an anonymous user on the site should be able to see responses to the survey given their token. – SimplicityGuy Apr 10 '15 at 00:19
  • interesting point - Could you make the tokens unguessable? It would be nice to be able to restrict access of an api to the developers associated with the cloud project. (and also to grant access to certain domains). Perhaps that would be too many features for endpoints though - easier to wrap endpoints on the backend IMO. – Rusty Rob Apr 10 '15 at 01:19
  • Yeah, the tokens are unguessable (salted, time-based, and unique). I've spent the last hour trying to just use the client id and while I can prevent access to the API with it, I can't seem to avoid the Google login page... But what I want is to login with essentially what is the client id as that already has the restrictions on where the API can be called from. – SimplicityGuy Apr 10 '15 at 01:50
  • I guess what I could use is an API key. However the docs on how to pass an API key are lacking. I'm guessing they're passed as a header, but what's the key? I would expect that App Engine would handle the inspection of the header with the API key to ensure it matches the referrer restrictions placed on it. Any examples? – SimplicityGuy Apr 10 '15 at 04:05
  • not sure what you're asking sorry. Did you try use the GAPI javascript client? maybe ask a new question on stackoverflow – Rusty Rob Apr 10 '15 at 20:26