-1

I have deployed a php application to google app engine. The app.yaml file looks like below:

- url: /css
  static_dir: css

- url: /js
  static_dir: js

- url: /api
  script: api.php

- url: /
  static_files: index.html
  upload: index.html

As of now, I am able to access any file inside js folder using the url: project-name.appspot.com/js/custom.js. Any user should not be able to view content of the file by just typing the path in the url. I want to restrict public access to any of the files except index.html. How can we achieve this ?

Thanks

Ashy Ashcsi
  • 1,045
  • 3
  • 16
  • 33

1 Answers1

0

Since the js files are accessed by links (by the browsers, transparently for the user, when rendering the pages containing those links) then you can't really hide their links - they will also be accessible if the user types the respective links directly in the browser.

What you can do however is to restrict access to these links to the authorized users only (the others will get permission denied errors).

If you're using Google's Users API then all you have to do is configure access in your app.yaml file (see login row in the Handlers element table), like this:

- url: /js
  static_dir: js
  login: required

If you're using some other authentication method then the only option I can think of is to not publish the js dir as static_dir (as static resources are served directly by GAE to anyone without even touching your app instance/code, like a CDN). Instead serve the js files through you app code, dynamically - just like you do with your api.php code. This way you can implement any access policy you desire for each individual file, on a per-request basis (for example by checking user login/session credentials according to your authentication method).

Dan Cornilescu
  • 37,297
  • 11
  • 54
  • 89