app-engine endpoint method taking user object

Question

I have an endpoint method that requires a user object. Would I do the following? It seems a bit strange since I could get user using endpoints.get_current_user()

@endpoints.method(FriendListRequest, FriendListResponse,
                  path='scores', http_method='POST',
                  name='scores.list')
def friend_list(self, request):
  # work would go here

Then the FriendListRequest would be

class FriendListRequest(messages.Message):
    user_object = messages.Field(1, required=True)

The reason I need the User object is because I must use the User email to query and find the friends of said user.

You need to pass a secure token (like in oauth2) and not the user object, otherwise anyone can claim he can be anyone. — Shay Erlichmen, Mar 20 '13 at 07:11

score 3 · Answer 1 · edited Mar 21 '13 at 17:34

To securely authenticate a user, Cloud Endpoints provides simple OAuth 2.0 support. Instead of passing a user object (insecure) in with the request, the request message can be a VoidMessage and you can rely on the Authorization header, which contains the OAuth 2.0 token for the user.

To actually get the current user, you will call endpoints.get_current_user(); this will require adding allowed_client_ids and/or audiences in either the @endpoints.method decorator or the the @endpoints.api method. See the docs for more info.

For example, on the API:

@endpoints.api(name='myapi', ...,
               allowed_client_ids=[MY_CLIENT_ID])
class MyApi(...):

    @endpoints.method(message_types.VoidMessage, FriendListResponse,
                      path='scores', http_method='POST',
                      name='scores.list')
    def friend_list(self, request):
        user = endpoints.get_current_user()
        # work would go here

or, on the method:

    @endpoints.method(message_types.VoidMessage, FriendListResponse,
                      path='scores', http_method='POST',
                      name='scores.list',
                      allowed_client_ids=[MY_CLIENT_ID])
    def friend_list(self, request):
        user = endpoints.get_current_user()
        # work would go here

This will require adding `allowed_client_ids` and or `audiences` in either the `@endpoints.method` decorator or the the `@endpoints.api` method. See the [docs](https://developers.google.com/appengine/docs/python/endpoints/create_api#allowed-clients-and-audiences) for more info. — bossylobster, Mar 20 '13 at 17:11
Do you mind if I update your answer to include this information? — bossylobster, Mar 20 '13 at 20:09

score 0 · Answer 2 · answered Mar 20 '13 at 06:50

0

Create a user object using users and pass the same

A User instance can be also constructed from an email address:

from google.appengine.api import users

user = users.User("A***.j***@gmail.com")

answered Mar 20 '13 at 06:50

Abdul Kader

5,781
4
22
40

app-engine endpoint method taking user object

2 Answers2