I have an app I'm creating that has 2 "sides" to it. One side allows
google docs users to view their spreadsheets, and do some manipulation
on them. For this I have them go through the whole AuthSubURL dance,
and add a token to their token store. Works great. I also store a copy
of the session_token in a datastore entry for future use, like this:
appuser.appuser_id = "johndoe123"
appuser.session_token_str = session_token.get_token_string()
...
...
appuser.put()
The other "side" to the app is that I have a publicly viewable page
which shows some information about the app user's spreadsheets to
anyone, using a url like this:
myapp.flubaroo.com/viewpage?appuser_id=johndoe123
This page looks up the datastore entry based on the appuser_id, and
then uses the session_token in the record found to access the app
user's spreadsheets and print some info about them. Note that this URL
is open to the public, so the person accessing it need not have any
special privileges to see the appuser's spreadsheets, nor even be
logged in with a google account. This is done like this:
session_token = gdata.auth.AuthSubToken()
session_token.set_token_string(app_user.session_token_str)
client = gdata.spreadsheet.service.SpreadsheetsService()
client.current_token = session_token
gdata.alt.appengine.run_on_appengine(client)
sfeed = client.GetSpreadsheetsFeed()
This works fine. Here's my question: *why* does this work? I was
shocked when it did. The session_token I lookup from the datastore
contains no information that I know of which references which google
user it was granted to, and therefore which google user's spreadsheets
should be accessed. Or does it? Is what I'm doing even "kosher", or am
I just abusing the API here? If so, what is the proper way to do this
(I want to make sure it's supported in the future).
As a followup question: at some point during the execution of the code
above, the session_token gets sent cleartext across the internet.
Couldn't someone in theory see it with a packet sniffer, and then use
it in their code to access (and potentially maliciously manipulate)
this google user's spreadsheets? Isn't this a security flaw?
Thanks!
Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
