google / gae-secure-scaffold-python3 Goto Github PK
View Code? Open in Web Editor NEWSecure scaffold for Google App Engine static and dynamic Python websites
License: Apache License 2.0
Secure scaffold for Google App Engine static and dynamic Python websites
License: Apache License 2.0
If you deploy a basic scaffold App Engine app, on startup it always attempts to connect to Cloud Datastore using the default service account credentials. This happens even if nothing in the app uses Cloud Datastore.
On a new App Engine project, this causes a 500 error. In the application log, you can see a message google.api_core.exceptions.PermissionDenied: 403 Missing or insufficient permissions
that is emitted as part of the NDB datastore library.
A quick fix is to grant the default App Engine service account the required permissions.
The default App Engine service account normally gets the editor role, but this can be changed per-organization. If the GCP organization changes the default role, or removes all permissions for the service account by default, then your scaffold app can fail.
https://cloud.google.com/appengine/docs/standard/configure-service-accounts#default_service_account
The scaffold connects to the datastore in order to set/get a secret that is used by Flask for signing cookies and stuff. If the app doesn't need to do that, then we should make it so the app doesn't require access to the datastore , and avoid this error.
https://flask.palletsprojects.com/en/3.0.x/config/#SECRET_KEY
Find out what the pain points are for projects which want to use reproducible builds with pip, and fix them.
Hi!
It looks like it's not possible to customize the value of the X-Frame-Options header. The get_talisman_config() function seems to only pick up a selection of settings, which does not include the frame-options one.
I need this because I'm building component that will be embedded in a website on another domain, in an iframe.
Am I missing something ?
Following a suggestion from @miuraken , we should have a CI pipeline to run tests and enforce a code style.
Use Cloud Build: https://cloud.google.com/solutions/continuous-integration
Currently, any query string set on the redirect path is not preserved when redirected.
Current: /?foo=bar
-> /intl/en/
Expected: /?foo=bar
-> /intl/en/?foo=bar
# Follows github.com/google/gae-secure-scaffold-python3/blob/master/examples/language-redirect/main.py
app = securescaffold.create_app(__name__)
app.add_url_rule("/", "lang_redirect", securescaffold.views.lang_redirect)
app.config["LOCALES"] = ["en"]
app.config["LOCALES_REDIRECT_TO"] = "/intl/{locale}/"
When trying to use users.get_current_user(), this line gives an assertion error which prevents the app from running locally:
https://github.com/google/gae-secure-scaffold-python3/blob/master/src/securescaffold/contrib/appengine/users.py#L69
As a current solution we wrap it in a try/catch, using a default email on an exception.
Is possible to have a mock user for a local environment, or similar?
Please document how to use this secure scaffold with single page applications, e.g. Angular and React SPAs. These would typically serve the static HTML directly from AppEngine (not through Python templating), which makes it impossible to inject the CSRF token. To make things more complicated, the CSRF token can also not be read from client-side JavaScript, because the secure scaffold defaults set the cookie to HttpOnly
.
As far as I can tell, setting the cookie to HttpOnly
does not add to the protection in a major way - e.g. see https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-cookie-httponly.
The examples use the Python 3.7 runtime for App Engine. Update to the current runtime version.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.