Push mechanism: Auth on webhook endpoint
I am curious how auth would work for the Push mechanism. This requires an endpoint on the subscriber to be accessible over the internet, so the pubsub client will verify that the message pushed is actually from Google? or does it remain available to subscribers?
If subscribers remain available, what is proposed to achieve it?
source to share
The team knows this is not a perfect solution, but for now the only option is to add a secret token to the endpoint url as described in:
https://cloud.google.com/pubsub/faq#security
You can also periodically rotate the secret token for better security. Of course, you need to safely store the secret token.
source to share
Alternatively, I would suggest the following:
-
Create a secret key. Store this private key at the publisher and endpoint.
-
When pushing a message to the queue, use HMAC-SHA256 with the private key to generate the HMAC of the message data. Add this HMAC value as a message attribute (base64 encoded).
-
When you receive a message on the handler, manually create the message data HMAC using HMAC-SHA256 using the private key and make sure it matches the HMAC in the message attribute.
As long as you keep the secret key ... secret and your message details are unique each time (add a nonce if not) this will ensure that the message is legitimate.
source to share