I want to be able to verify that the request coming in to the doPost of my servlet on AppEngine is coming from my push pubsub subscription. I saw a similar question here: Authenticating PubSub Push messages in AppEngine and the solution was to use a shared token as specified in the PubSub faq, but then anyone with access to that token would be able to push messages.
Currently, I am looking at restricting access to the servlet by using a handler in my app.yaml and requiring administrator status as described here: https://cloud.google.com/appengine/docs/flexible/java/configuring-your-app-with-app-yaml#security, the doc says that:
Note: the admin login restriction is also satisfied for internal requests for which App Engine sets appropriate X-Appengine special headers. For example, cron scheduled tasks satisfy the admin restriction, because App Engine sets an HTTP header X-AppEngine-Cron: true on the respective requests
I am trying to find a way to get the same funcitonality with pubsub, but the headers that are sent with the pubsub push message show X-AppEngine-User-Id=null and X-AppEngine_User-Is-Admin=0. Therefore the admin restriction is not met and access is denied.
Is there any way to give the subscription admin access or can any of the headers be used to validate the origin of the message?
