Is there a way to know for sure that a message received by app engine is from the Google PubSub service? Currently the PubSub service gets a 302 on the URLs configured as "login: admin" in appengine app.yaml. So it keeps retrying.
I would have expected this to behave like the Tasks in Appengine and automatically authenticate to "login:admin" URLs.
The FAQ recommends that when setting up your PubSub push subscription you put a shared secret token as a request parameter which you check for in your handler.
If you additionally would like to verify that the messages originated from Google Cloud Pub/Sub, you could configure your endpoint to only accept messages that are accompanied by a secret token argument, for example,
https://myapp.mydomain.com/myhandler?token=application-secret.
Since PubSub does not use appengine authentication and we are using the token to authenticate you should not specify a login key in your app.yaml entry for this handler. Here's an example:
main.py
class Handler(webapp2.RequestHandler):
def post(self):
token = self.request.params['token']
if token != 'foo':
self.abort(401, 'Not authorized')
# do stuff
app = webapp2.WSGIApplication([
('/', Handler),
], debug=True)
app.yaml
runtime: python27
api_version: 1
threadsafe: true
handlers:
- url: /.*
script: main.app
