What I do is require Google authentication and then check the user's email
address and domain against a whitelist. I had some trouble at first because
GMail addresses ignore internal periods, so for instance ad...@gmail.com
and ada...@gmail.com are the same address. In fact they are also the same
as ad...@googlemail.com, but I haven't worried about that case yet. I
wrapped this into a class that all my request handlers descend from:
class MyPage(webapp2.RequestHandler):
def validate_user(self, page_template):
template = JINJA_ENVIRONMENT.get_template('under_construction.html')
if users.get_current_user():
url = users.create_logout_url(self.request.uri)
url_linktext = 'Logout'
email = users.get_current_user().email()
# pylint: disable=unused-variable
address, domain = email.split("@")
canonical_address = address.replace('.', '')
canonical_email = canonical_address + '@' + domain
if (domain in WHITELISTED_DOMAINS or
canonical_email in WHITELISTED_ADDRESSES):
template = JINJA_ENVIRONMENT.get_template(page_template)
else:
logging.info('Login disallowed for: %s', email)
else:
url = users.create_login_url(self.request.uri)
url_linktext = 'Login'
template_values = {
'url': url,
'url_linktext': url_linktext,
}
return template, template_values
Each concrete request handler begins something like this:
def get(self):
template, template_values = self.validate_user(PAGE_TEMPLATE)
Suggestions for improvement are welcome!
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.
