Thursday, June 30, 2011

User Authentication & Authorization [AT] Google AppEngine

AppEngine, a PaaS provided with a 'limited free' version to all GMail users (Google Account Owners). So, you can host your WebContent their making use of Python, Java or Go.

AppEngine enables you to use existing Google A/c of your Web-App users to be used for their authentication & authorization at your AppEngine-hosted Web-App also.

So, there are two main ways to acieve that:
  1. to import google.appengine.api.users
    this USERS module from AppEngine APIs enables your Web-App to identify the users on the basis of their Google A/c ID (GMail ID) and then make the decision of routing the user to secured Resource or forbidden resource error message.
    [ An Example on Usage ]
  2. to specify 'login' under 'app.yaml'
    so the major basic configuration about your Web-App and routing configuration reside in 'app.yaml' file which has default location of Web-App root location.
    So, you can specify at secured 'url' specifications to enforce user for a Google A/c (GMail) login.
    [ An Example Of Usage ]
In, both of these implementations whenever a user tries to visit a 'secured url' on your Web-App, they are automatically redirected to Google A/c Log-In page further redirecting them back to your Web-App on succesful log-in.

The Curious Case of static_dir

Initially while working for my newly initiated opensource project 'py-gae-legs', I added entire 'secure URL' logic by method#1 i.e. using 'users' api.
It was all working fine & secured until I added some static-content using static_dir and tried securing it's url using the same tactic.

But, there was a thing about 'static_dir' which I investigated after my supposed-to-be secure static_dir's content was all publicly available if someone could enumerate/know the complete url.
{I'm in the category of people who keep their learning pace up along with working over it... and anyway I wasn't gonna read the entire #^(

The thing about it was... the directories marked to be 'static_dir' in 'app.yaml' are no more located on the AppEngine Server in the same location after you update your Web-App.
So, the entire directory structure would remain same... it's just that the 'static_dir' marked locations would somehow vanish from it on your Web-App's location at AppEngine and served from some other provision made by Google which maps back to the location.

So, to secure the 'static_dir' located urls... the only way ( that I know of ) is to implement it at the very core of Web-App configurations i.e. in 'app.yaml' using the Method#2.

So, you can enforce Google Login to be mandatory by setting 'login:required' for that 'url' setting. If you want only a selected Users to see that, then you'll have to add all those Google A/c (GMail) IDs by doing following
[a.] goto Dashboard of your GoogleAppEngine Web-App,
the URL-Box link would look like:$GAE_APPLICATION_NAME
[b.] click the link 'Permission' from Right-Menu-Column,
[c.] now, invite all those user's by providing their e-mail ID and changing their role to 'Viewer'and at app.yaml provide 'login:admin' instead of 'login:required'.

Lately, I've been involved at starting an OpenSource project 'py-gae-legs'.

It's a very basic subset of WebApp-Framework for the lovers of RoR (have been working on it for past few months, love the ease it gives but hate the convention being the soul) style of web-app creation.

This project just aims web-development specifically aimed to be hosted over AppEngine (currently).
Almost done with it's basic starters to look at:
[] gae-flat-web : to create an architecture hosting your already created static website,
[] gae-private-web : [W.I.P.] to host all your private content hosted securely (by Google) in an by-invite only website