5

I would like to create a task handler that is supposed to deal with some tasks with retry, etc.

But I want this endpoint to only be triggerable by a specific queue in google task ?

How am I supposed to deal with it ? What is the best practice ?

Best regards

ScreamZ
  • 581
  • 4
  • 16

1 Answers1

3

UPDATE: Check Will's comment. This answer might be outdated and no longer work. Before applying it, be sure to test extensively.

According to the Cloud Tasks documentation, requests incoming from Cloud Tasks will have the X-AppEngine-QueueName header.

This header does not appear listed in the GAE docs about requests headers removed, but I just tested it and this header is also removed.

To secure your GAE app to only be called through Cloud Tasks, validate that the X-AppEngine-QueueName header is in one of the approved queues that you want to allow to call your app.

Jofre
  • 3,718
  • 1
  • 23
  • 31
  • All right thanks :) Is there any way to lock access internally to my google cloud account network (using firewall or something like). This could prevent users from spamming my endpoint, even if I just ignore non-header specific request ? – ScreamZ May 13 '19 at 09:00
  • There exists an option to [create firewall rules for you App Engine app](https://cloud.google.com/appengine/docs/standard/go111/creating-firewalls), but I'm unsure how will it handle requests from Cloud Tasks. Be sure to run some tests with the firewall enabled to be sure your app can receive requests from Cloud Tasks (I think the IPs from Cloud Tasks are dynamic, so don't trust in just whitelisting a bunch of IPs from your initial tests). – Jofre May 13 '19 at 09:27
  • 2
    Ive tested it with py38 runtime and I can successfully set X-Appengine-Queuename using Postman and it unfortunately is not stripped. I can basically spoof this. – Will Aug 29 '20 at 00:40
  • Thanks for testing and commenting. I've updated the answer saying that it might be outdated. – Jofre Sep 02 '20 at 13:21
  • Too bad this answer may be outdated. I have the same question! :-) – Hans Bouwmeester Sep 25 '20 at 23:34
  • The latest advice is to use "X-Appengine-Taskname" a fake call will be "". – AshF Nov 11 '21 at 00:30
  • Another thing that could be used - the documentation states requests will come from the IP 0.1.0.2 - https://cloud.google.com/tasks/docs/creating-appengine-handlers#reading_request_headers – Mark Jan 19 '23 at 21:04