29 Matching Annotations
  1. Last 7 days
    1. recommend using Firebase when the API calls involve any user data and the API is intended to be used in flows where the user has an user interface
    2. An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter
    1. This is useful if just a subset of the operations need the API key

      can we do wildcard paths at all?

    2. PI keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL
    1. API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key

      hmmm... what about client-API architectures where there are no username/pwd pairs?

    2. Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0
    1. Access control for GCP APIs encompasses authentication, authorization, and auditing. Authentication determines who you are, authorization determines what you can do, and auditing logs record what you did
    2. Application credentials provide the required information about the caller making a request to a GCP API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.
    1. OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider
    1. For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.
    1. Cloud IAP enables you to configure Cloud IAP policies for individual resources in a Google Cloud Platform (GCP) project. Multiple apps within a project can each have different access policies
  2. Sep 2019
    1. deploying an App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP)

      isn't IAP sufficient to secure apps, then?

    1. On the App Engine flexible environment, ESP is automatically deployed for you when you add a few lines to your app.yaml file. For more information, see Deploying your API and ESP. For the App Engine standard generation 1 environment, you must use Endpoints Frameworks. If you instead deploy the container to one of the compute options above, you can proxy to either generation of App Engine standard runtime.

      ??

    1. Endpoints is a distributed API management system. It provides an API console, hosting, logging, monitoring, and other features to help you create, share, maintain, and secure your APIs
    1. Use your favorite API framework and language, or choose our open source Cloud Endpoints Frameworks in Java or Python. Simply upload an OpenAPI specification and deploy our containerized proxy

      oh so maybe endpoints framework is just their open source implementation that is limited to java 8 & python 2.7, otherwise endpoints is available to any stack?

    1. Endpoints Frameworks for Python is integrated with the App Engine standard Python 2.7 runtime environment. Endpoints Frameworks consists of tools, libraries, and capabilities that let you generate APIs and client libraries from an App Engine application

      this doesn't seem to be about security per se

    1. Endpoints Frameworks is supported only on the App Engine standard Python 2.7 and Java 8 runtime environments

      seems like endpoints frameworks is different from endpoints itself

  3. Jul 2019
    1. you should be mindful how often you request updates to avoid annoying or tiring your users. That is, you should limit requesting in-app updates to only the changes that are important to the functionality of your app
  4. Jun 2019
  5. Apr 2019
    1. App Engine features a local UNIX socket interface for accessing your Cloud SQL instance with automatic authorization using the App Engine service account
  6. Feb 2019