I can confirm this is occurring, and I've reproduced the issue. The issue is being tracked over in theApp Engine public issue tracker <https://code.google.com/p/googleappengine/issues/detail?id=12069>. Follow there for any updates.
For now, I think it's much better to be manually-inspecting the X-Appengine-Inbound-Appid header, as this is managed by the infrastructure and can't be spoofed. You could also implement OAuth, but that adds overhead you may not want or need on a small app. I've also posted the same as the above in the stackoverflow thread mentioned. On Wednesday, June 17, 2015 at 12:37:36 PM UTC-4, Diego Fernandez wrote: > > Hello, > citing > *http://stackoverflow.com/questions/30237946/google-app-engine-inter-module-communication-authorization#comment49814138_30237946 > > <http://stackoverflow.com/questions/30237946/google-app-engine-inter-module-communication-authorization#comment49814138_30237946>* > > the problem I have is that in the Docs (communication between modules) > <https://cloud.google.com/appengine/docs/python/modules/#Python_Communication_between_modules> > it > says: > > *You can configure any manual or basic scaling module to accept requests >> from other modules in your app by restricting its handler to only allow >> administrator accounts, specifying login: admin for the appropriate handler >> in the module's configuration file. With this restriction in place, any >> URLFetch from any other module in the app will be automatically >> authenticated by App Engine, and any request that is not from the >> application will be rejected.* >> > > And this is exactly the configuration I have for my module called "api1". > In my *app.yaml* file I have: > > # can accept requests from other modules. with login: admin and they are > authenticated automatically. > - url: /.* > script: _go_app > login: admin > > I'm trying now, from a different module in the same app, to make a service > call as suggested in the doc using *urfetch.fetch()* method, and my > implementation is: > > from google.appengine.api import urlfetch, modules, app_identity > from rest_framework.response import Response, status > > @api_view(['POST']) > def validate_email(request): > url = "http://%s/"; % modules.get_hostname(module="api1") > payload = json.dumps({"SOME_KEY":"SOME_VALUE"}) > > appid = app_identity.get_application_id() > result = urlfetch.fetch(url + "emails/validate/document", > follow_redirects=False, > method=urlfetch.POST, > payload=payload, > headers={"Content-Type":"application/json") > > return Response({ > 'status_code': result.status_code, > 'content': result.content > }, status=status.HTTP_200_OK) > > According to the documentation, having specified the > *follow_redirects=False*, *fetch()* will automatically insert an header > in my call (I've even tried to add it explicitly) with the > *"X-Appengine-Inbound-Appid" > : MY-APP-ID*. > Unfortunately I get as result of the fetch call a 302 redirect, if I > follow it, it's a redirect to the authentication form. This occurs in > Development server as well as in Production. > > Can you please let me know how can I call my *api1* service inside my > *validate_email* document (belonging to a different module in the same > app)? > Is there another way to authenticate the call since it seems the way > suggested inside the documentation is not working? > > Thank you > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/08d0079c-ee07-4a97-a36b-437311f74ee2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
