I would like to host my Flask-based web application on GAE.
Regular users are authenticated against Google using flask-oauthlib.
However, I would like to authenticate admin users using GAE's Users API, since it provides, among others, the users.is_current_user_admin()
.
However, it seems that I cannot protect the admin
region from app.yaml
, because the following configuration is not valid:
# app.yaml
[...]
handlers:
# For admin users
# THIS IS INVALID!
- url: /admin
login: admin
# For regular users
- url: /.*
script: main.app
Option 1: Create a separate flask app
object in the same GAE application:
# app.yaml
[...]
# For admin users
- url: /admin
script: admin.app
login: admin
Is that a good practice? If not, why?
Option 2: Simply implement a function such as:
def is_admin():
return current_user.email in ["admin1@...", "admin2@...", "admin3@..."]
That is, do not rely on GAE's Users API.
Notes:
- there are only a few admin users
- I do not need fine-grained roles at the moment
Any thoughts (other solutions)?