Cloud Endpoints HTTP Cookies

Question

I am implementing Cloud Endpoints with a Python app that uses custom authentication (GAE Sessions) instead of Google Accounts. I need to authenticate the requests coming from the Javascript client, so I would like to have access to the cookie information.

Reading this other question leads me to believe that it is possible, but perhaps not documented. I'm not familiar with the Java side of App Engine, so I'm not quite sure how to translate that snippet into Python. Here is an example of one of my methods:

class EndpointsAPI(remote.Service):
  @endpoints.method(Query_In, Donations_Out, path='get/donations',
                    http_method='GET', name='get.donations')
  def get_donations(self, req):
    #Authenticate request via cookie

where Query_In and Donations_Out are both ProtoRPC messages (messages.Message). The parameter req in the function is just an instance of Query_In and I didn't find any properties related to HTTP data, however I could be wrong.

bossylobster · Accepted Answer · 2013-05-20T23:03:17.480

14

First, I would encourage you to try to use OAuth 2.0 from your client as is done in the Tic Tac Toe sample.

Cookies are sent to the server in the Cookie Header and these values are typically set in the WSGI environment with the keys 'HTTP_...' where ... corresponds to the header name:

http = {key: value for key, value in os.environ.iteritems() 
        if key.lower().startswith('http')}

For cookies, os.getenv('HTTP_COOKIE') will give you the header value you seek. Unfortunately, this doesn't get passed along through Google's API Infrastructure by default.

UPDATE: This has been enabled for Python applications as of version 1.8.0. To send cookies through, specify the following:

from google.appengine.ext.endpoints import api_config

AUTH_CONFIG = api_config.ApiAuth(allow_cookie_auth=True)

@endpoints.api(name='myapi', version='v1', auth=AUTH_CONFIG, ...)
class MyApi(remote.service):
    ...

This is a (not necessarily comprehensive list) of headers that make it through:

HTTP_AUTHORIZATION
HTTP_REFERER
HTTP_X_APPENGINE_COUNTRY
HTTP_X_APPENGINE_CITYLATLONG
HTTP_ORIGIN
HTTP_ACCEPT_CHARSET
HTTP_ORIGINALMETHOD
HTTP_X_APPENGINE_REGION
HTTP_X_ORIGIN
HTTP_X_REFERER
HTTP_X_JAVASCRIPT_USER_AGENT
HTTP_METHOD
HTTP_HOST
HTTP_CONTENT_TYPE
HTTP_CONTENT_LENGTH
HTTP_X_APPENGINE_PEER
HTTP_ACCEPT
HTTP_USER_AGENT
HTTP_X_APPENGINE_CITY
HTTP_X_CLIENTDETAILS
HTTP_ACCEPT_LANGUAGE

edited May 20 '13 at 23:03

answered Mar 28 '13 at 22:57

bossylobster

9,993
1
42
61

Any idea when `HTTP_COOKIE` will be enabled? I run an enterprise application and it isn't possible to use Google OAuth as it's used in the Tic Tac Toe sample. I briefly explored setting up my own OAuth2 provider, but it seemed pretty clunky since the users would have to go through auth twice. Anyway, the `HTTP_COOKIE` header would make life so much easier. Thanks! – rhefner1 Mar 29 '13 at 14:49
Here is a monkey patch that will work for you: http://pastebin.com/jT7T6xPS Just make sure to replace `api_config.ApiConfigGenerator` before creating your `endpoints.api_server` for serving requests. – bossylobster Mar 29 '13 at 18:25
1

Thanks Danny! That worked perfectly. I assume based on your `logging.warn` message that this will be fixed in 1.7.7, so that's awesome. – rhefner1 Mar 29 '13 at 20:53
Is this really fixed in 1.7.7? The `HTTP_COOKIE` doesn't seem to be passed on .appspot.com although it works on my local dev. – mkhatib May 15 '13 at 02:35
Thanks for the heads up @mkhatib, I'll look into it (probably after Google I/O) – bossylobster May 15 '13 at 16:38
It seems like passing the cookie information through doesn't work yet (context: local python environment v1.8.0)? Are you still planning to enable this? Is there a workaround we can do in the meantime? – tosh Jun 06 '13 at 18:14
1

Also will we then need to add CSRF protection manually or will there be built-in functionality through google cloud endpoints? thanks a lot for your help – tosh Jun 06 '13 at 18:15
1

I'm also struggling with this. HTTP_COOKIE doesn't seem to be found in GAE but only in localhost. – CIF Jun 25 '14 at 14:13
It's possible this is out of date. I am no longer an employee so can't say definitively. – bossylobster Jun 25 '14 at 22:05
The post has been updated. You need to explicitly set `allow_cookie_auth` to True as in the example above for the headers + cookies to be included in appspot. It's not needed (or enabled by default) in dev_appserver. – john2x Oct 22 '14 at 02:07

score 10 · Answer 2 · answered Feb 26 '15 at 14:47

10

For the Java people who land here. You need to add the following annotation in order to use cookies in endpoints:

@Api(auth = @ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE))

source

(Without that it will work on the local dev server but not on the real GAE instance.)

answered Feb 26 '15 at 14:47

Tim Bartsch

918
8
18

This help me a lot when I am using Spring Security with Cloud Endpoints. Just adding this statement endpoints using session, where authenticated user has been set by SecurityContextPersistenceFilter – Pokuri Sep 07 '15 at 14:04

Cloud Endpoints HTTP Cookies

2 Answers2

Linked