Managing user authentication in a GAE application

Question

What is the best way to manage a user session in a Google App Engine application? Ideally I'd like to keep my application stateless and not save any user related data in memory, however I'm also afraid to send user credentials of the network on every request (not to mention authenticating the user on every request would require a call to the Datastore which costs money).

I checked out google's OAuth 2.0 solution but from my understanding it helps if my application wants to connect to any of the google APIs and needs permission from the client to access his google account.

Is there a go to way for managing user session? The most common scenario is to know which user initiated this request without having to send the userId as a request parameter.

Please note that we are not using third party providers. The user registers himself to our page normally and has a custom account. I'm not looking for tools that help integrate authentication with third party services. Otherwise I'd be using google's OAuth 2.0 or similar API

Authomatic is a great resource: https://github.com/authomatic/authomatic — new name, May 25 '17 at 22:34
Please review updated question. I am **not** looking for authentication via third party providers. — PentaKon, May 26 '17 at 07:20

score 0 · Answer 1 · answered May 27 '17 at 08:54

You can Always implement Authenticator Interface.

        public class MyAuthenticator implements Authenticator {
    @Override
    public User authenticate(HttpServletRequest request) {
        HttpSession session = request.getSession(false);
        //
        return null;// if not authenticated, otherwise return User object.
    }
}

// Endpoints class.
@Api(name = "example", authenticators = { MyAuthenticator.class })
public class MyEndpoints {
    public Profile getProfile(User user) {

        if (user == null) {
            throw new UnauthorizedException("Authorization required");
        }
        return new Profile(user.getEmail(), "displayName");
    }

    // store this class somewhere in models
    public class Profile {
        private String email;
        private String displayName;

        public Profile(String email, String displayName) {
            this.email = email;
            this.displayName = displayName;
        }

        public String getEmail() {
            return email;
        }




        public String getdisplayName() {
            return displayName;
        }
    }
}

Use the HttpServletRequest object to implement classic session based login or use your own custom header. Well that depends on your case. Return null when not authenticated and return User object when authenticated. Also implement some kind of encryption on both sides(client and server), so as to stop someone having the session key to access your api.

Managing user authentication in a GAE application

1 Answers1