Everyone who successfully authenticates through Google account would be able to execute the API through the API Explorer.
I would like to limit the ability to execute the API through API Explorer only to some users. But at the same time have the API accessible for all users of my Android and iOS apps.
Security in the case of at least Android App is facilitated through the Android Client Id and SHA fingerprint. So, the scope here is to NOT include the App access security.
sam
- Identify that the request is coming through the API explorer. One way is through the origin/referrer in the headers. For obtaining header information see this question.
And,
- If the list of users is known, in the endpoints method raise
endpoints.UnauthorizedExceptionif the user (endpoints.get_current_user()) is not in the list.
Python sample code:
if self.request_state.headers.get('x-referer') == "https://apis-explorer.appspot.com" and endpoints.get_current_user() not in MY_LIST:
raise endpoints.UnauthorizedException('Not Authorized')
来源:https://stackoverflow.com/questions/42521424/cloud-endpoints-control-who-can-execute-api-through-api-explorer