I'm using pubsub to push messages into an App Engine app written in node on the flexible environment. Is there a way I can limit my endpoints to only traffic from pubsub?
In the standard environment, App Engine has handlers that can define admin only requests and secure endpoints. However, this functionality is not available in the flexible environment. Is it possible to set up Firewall rules for only Google requests (Firewall appears to be application wide, not endpoint?), is there a standard method to secure endpoints or do I need to custom roll a solution?
Turns out Google has posted a solution to this in the docs.
The solution is:
Create a token in your app.yaml environment:
env_variables:
PUBSUB_TOPIC: <your-topic-name>
# This token is used to verify that requests originate from your
# application. It can be any sufficiently random string.
PUBSUB_VERIFICATION_TOKEN: <your-verification-token>
Send the token with your message:
https://YOUR_APP_ID.appspot.com/pubsub/push?token=YOUR_TOKEN \
--ack-deadline 10
Check the token in your push handler:
if (req.query.token !== PUBSUB_VERIFICATION_TOKEN) {
res.status(400).send();
return;
}
RTFM!