Yes, Deniz, I believe so, but just to be sure we are talking about the same "user ID" or more precise, how it is extracted: For Cloud Endpoints handlers in App Engine the implementation can be really simple and safe. If you implement the handler in Node.js (flexible environment) your handler reads the request's HTTP header X-Endpoint-API-UserInfo <https://cloud.google.com/endpoints/docs/openapi/authenticating-users#receiving_auth_results_in_your_api> to retrieve current user information as JSON object, including the user ID. I assume that's what you intent to implement and you can rely on the user information retrieved from this header (see earlier reply by Katayoon). If you intent to use the Authorization header instead, read my PS below. You might want your implementation to also check if the hosted domain is the same as a particular G Suite domain though, or apply whatever custom access control you need additionally (roles, custom claims etc.).
Other than that, as always keep tight control of user access to your GCP resources (via IAM in Cloud Console) and an eye on Audit Log <https://cloud.google.com/logging/docs/audit/>, and you should be safe. Ani PS: Theoretically, your handler could (instead of X-Endpoint-API-UserInfo) access the original HTTP Authorization header of the request (if I remember correctly, Cloud Endpoints ESP/OpenAPI makes it available to the handler) to validate the ID token and extract user information. But safely validating a JSON Web Token (JWT) is not trivial <https://cloud.google.com/endpoints/docs/openapi/troubleshoot-jwt-openapi>, hence that anyone could send a fake ID token to your endpoint. Therefor I assume that's not what you plan to do. Handlers outside of Cloud Endpoints or even outside of App Engine might need to (partially) implement their own token validation, but I would avoid this wherever I can. For everyone who is interested: a very general platform-agnostic documentation is provided by Google Identity Platform: OpenID Connect - Validating an ID Token <https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken> . On Tuesday, May 1, 2018 at 6:38:20 PM UTC+2, Deniz Yazar wrote: > > Hi Ani, > > I already have firebase database rules but I am only worried about the > security of Google App Engine and Cloud Endpoints side. I am wondering is > it really this simple to achieve security. I get the ID token of the user > in my API running on google app engine. Than I use admin privileges to get > info of that user ID I extracted from the token. I need to make sure that > userID cannot be manipulated in the token. Can I be sure that the id I > extract from the token is safe? > > On Monday, April 30, 2018 at 8:46:02 AM UTC-4, Ani Hatzis wrote: >> >> Hi Deniz, >> >> >>> allow users to get information about their account >>> >> >> Is the only data shown to the user the information that has been >> extracted from the current user's ID token? >> >> Or do you store additional custom user information that your endpoints >> will show to the current user, e.g. their user profile? If you have more >> user-related data in Firebase than what is already managed by Firebase Auth >> (in Firebase Users), you might (as usual) need rules in FB to prevent >> reading/writing other users' custom data in Realtime Database (or Cloud >> Firestore). In Firebase, all authenticated users can read/write the entire >> database by default, unless you setup rules to restrict access. And the >> access works outside of your App Engine app, so you would need the FB rules >> as additional protection when clients access FB directly. >> >> Ani >> >> >> On Sunday, April 29, 2018 at 6:19:05 PM UTC+2, Deniz Yazar wrote: >>> >>> I am developing a web service(server) for my web application to allow >>> users to get information about their account. After looking at every >>> amazing Google Cloud product, I am thinking of doing the following to have >>> a secure server on Google Cloud: >>> >>> 1. Having clients login with Firebase Auth on web app >>> 2. Add security specifications in Cloud Endpoints to allow only >>> firebase logged in users to access* specific paths (*running on a >>> node.js server on Google App Engine) >>> 3. Extract the ID token received on the server by decoding it to >>> return users only their data >>> - Is simply having firebase security rules in the openAPI file in >>> Cloud Endpoints enough to make sure only users logged in can access >>> their >>> *own* data? >>> >>> I'm also limiting access to some paths for service accounts, after >>> making that security rule in Cloud Endpoints, isn't there really anything >>> else to do to make sure the system is secure. Is it really this easy to >>> achieve a secure system? After this point, is it just my google account's >>> security thats left to protect? >>> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/4cefec7a-9cbd-4e1d-8cc6-5219989fbd65%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
