Since the js
files are accessed by links (by the browsers, transparently for the user, when rendering the pages containing those links) then you can't really hide their links - they will also be accessible if the user types the respective links directly in the browser.
What you can do however is to restrict access to these links to the authorized users only (the others will get permission denied errors).
If you're using Google's Users API then all you have to do is configure access in your app.yaml
file (see login
row in the Handlers element table), like this:
- url: /js
static_dir: js
login: required
If you're using some other authentication method then the only option I can think of is to not publish the js
dir as static_dir
(as static resources are served directly by GAE to anyone without even touching your app instance/code, like a CDN). Instead serve the js
files through you app code, dynamically - just like you do with your api.php
code. This way you can implement any access policy you desire for each individual file, on a per-request basis (for example by checking user login/session credentials according to your authentication method).