Push mechanism: Auth on webhook endpoint

Question

Push mechanism: Auth on webhook endpoint

I am curious how auth would work for the Push mechanism. This requires an endpoint on the subscriber to be accessible over the internet, so the pubsub client will verify that the message pushed is actually from Google? or does it remain available to subscribers?

If subscribers remain available, what is proposed to achieve it?

+3

google-cloud-pubsub

Sachin 30 jul. 15 at 5:14 am

source to share

3 answers

Alternatively, I would suggest the following:

Create a secret key. Store this private key at the publisher and endpoint.
When pushing a message to the queue, use HMAC-SHA256 with the private key to generate the HMAC of the message data. Add this HMAC value as a message attribute (base64 encoded).
When you receive a message on the handler, manually create the message data HMAC using HMAC-SHA256 using the private key and make sure it matches the HMAC in the message attribute.

As long as you keep the secret key ... secret and your message details are unique each time (add a nonce if not) this will ensure that the message is legitimate.

+1

Joe alamo 19 oct. 16 at 15:37

source to share

You can now use the / _ ah / push handlers / prefix for the push endpoint url route. This will allow you to require admin login by adding login: admin

to your app.yaml.

Example: myapp.appspot.com/_ah/push-handlers/myhandler

From https://cloud.google.com/pubsub/docs/advanced

+1

E-dou 19 oct. 16 at 16:37

source to share

Takashi matsuo · Accepted Answer · 2015-07-30T11:25:51+0000

The team knows this is not a perfect solution, but for now the only option is to add a secret token to the endpoint url as described in:

https://cloud.google.com/pubsub/faq#security

You can also periodically rotate the secret token for better security. Of course, you need to safely store the secret token.

Push mechanism: Auth on webhook endpoint

More articles: