问题
I have an Android app that has access to a set of APIs through Google Endpoints. The problem is that the same APIs are accessible from the web through https://your-app-id.appspot.com/_ah/api/explorer, and I don't want this to happen. That is, I want the datastore to be accessible (and modifiable) only from mobile devices. Is there a simple way to do this? I had a look at enpoint authentification and did not completely understand that (I'm still new to all of this...), so I wondered if there was a simpler answer to this (apparently) simple problem.
回答1:
There is currently no way to change the fact that your endpoints are publicly visible from the web (etc.).
You can however, implement authentication to ensure that they are only used by your clients (whether mobile or web). You can authenticate against the Google account on the client device, or you can just authenticate your app.
The documentation for this is here: https://developers.google.com/appengine/docs/java/endpoints/consume_android
There is also some here:
https://developers.google.com/eclipse/docs/endpoints-addauth
Unfortunately, neither are very good, and they focus more on user (vs. app) authentication. So if you have problems I would also suggest you search SO with "[google-app-endpoints]authentication".
回答2:
In order to restrict access to the API to only apps that you've written you will need to implement authenticated API calls.
The second set of instructions in the README for https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-android detail how to register your app with Google Play Services in order to authenticate your app and users.
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-java-maven/blob/master/src/main/java/com/google/devrel/samples/helloendpoints/Greetings.java#L50 shows an authenticated Cloud Endpoints method implementation. If an invocation happens on that method that isn't authenticated the User object will be null.
来源:https://stackoverflow.com/questions/18616218/how-to-make-google-endpoints-inaccessible-from-the-web