Why is Google IAP putting double-digits request cookies in my headers? - google-app-engine

I have an app running on Google app engine (Flask, python 3, flexible environment) using the Identity-Aware proxy to allow everyone in our organization (which uses GSuite) to control access. Recently we've been getting 413 errors.
When I looked at the cookies of the failing requests I expected to see one request cookie prefixed with GCP_IAAP_AUTH_TOKEN. Instead I see 11, each one slightly different. Their combined sizes put us over the 15kb header size limit indicated in the link below, causing a 413 error.
https://cloud.google.com/appengine/docs/flexible/go/how-requests-are-handled
I don't understand why there are so many cookies, or how to make them go away. Our users all use Chrome, and many but not all of them are intermittently running into this error. Those that aren't, when their cookies are inspected, show only a couple cookies with this prefix. See below for an example of what this collection of cookies looks like:
Eleven IAP cookies in a single header

Posting what ended up solving this particular instance of the problem in case something like it occurs to other people in the future.
The original IAP code for our project was written in 2018. At the time, IAP had a known issue requiring re-logging in every hour. The suggested workaround from this thread was to use a hidden iframe.
https://issuetracker.google.com/issues/69386592?pli=1
We followed that guidance, but Google fixed the underlying issue in June of 2019. Now, following that guidance causes a gradual accumulation of session cookies in the headers. Removing the no-longer-needed offending iframe code solved the problem.

Related

Gmail API no longer returns Access-Control-Allow-Origin

We're using the Gmail API to enable users to send emails from our app.
The following request (with uploadType=resumable included) has been working well till yesterday,
https://www.googleapis.com/upload/gmail/v1/users/userId/messages/send&uploadType=resumable
but suddenly it no longer returns the Access-Control-Allow-Origin header in the response, leading to a CORS error.
Has Google changed its policy recently? Or, can anybody guess what might have caused this change?
It's a bug
Many users are affected by it.
It has already been filed on Google's Public Issue Tracker.
I recommend you to give the issue a "star" to highlight the importance and increase visibility.

I have got "403 Forbidden" using custom search engine on payed account

I am trying to use google search engine via python script. It was working fine at the beginning but later I have got "HTTP Error 403: Forbidden". I thing it is due to 100 requests per day limitation. But I have payed account and billing support told me that everyting is ok. Is it possible somehow to solve this problesm?
Thanks, Ilia
There are lot of reasons for which API will throw Error 403. You can find them all here : GOOGLE DOC FOR 403 Forbidden
Your 403 error might indicate that the API key you are using may have lost it's permissions, or that the quota of your API requests may have been exceeded and the new quota (The one you have when you already have a billing account) might not have been updated.
I assume you are using this API; If not, don't worry, the following advice might also help you.
You first need to see if your API key is still working or you might want to generate new ones. You can do this here. Your code should make reference to the new API Key file.
If it is not the case then you should wait a little bit until your Billing account is updated and the quota gets readjusted. You can read a bit more about how to monitor the requests to your APIs here.
You can always find more help with your particular issue if you describe a little the symptoms and your attempts or hypothesis to solve it.
At last you may find more info on the community page of the API.

AppEngine authentication through Node.js

I'm trying to write a VSCode extension where users could log into Google AppEngine with a google account, and I need to get their SACSID cookie to make appengine requests.
So I'm opening a browser window at
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttp://localhost:3000/
(generated by google.appengine.api.users.create_login_url)
The user logs in and is redirected to my local webserver at
localhost:3000/_ah/conflogin/?state={state}
Now I try to forward the request to my AppEngine app (since it knows how to decode the state parameter), so I do a request to
https://my-app.appspot.com/_ah/conflogin/?state={state}
basically just replacing localhost with the actual app.
but it doesn't work, presumably because the domain is different. I assume this is on purpose, for security.
Is there any way I can make this work ?
Not ideal, but the only solution I've found is to have an endpoint on my GAE instance that does the redirection. Then I can set that as the continue url, when I'm starting the authentication process
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://my-app.appspot.com/redirect?to=http://localhost:3000
I think you should center the attention on the protocols you are using, since it’s known that the cookie name is based on the http protocol (HTTP : ACSID, HTTPS:SACSID), and that’s the security perspective till this point for me.
Having the error you are facing now would be helpful to understand the problem better. Also, how are you performing the call to the API and the code you are using would be helpful too.

Invalid and/or missing SSL certificate when using Google App Engine

UPDATE: Please, if anyone can help: Google is waiting for inputs and examples of this problem on their bug tracking tool. If you have reproducible steps for this issue, please share them on: https://code.google.com/p/googleappengine/issues/detail?id=10937
I'm trying to fetch data from the StackExchange API using a Google App Engine backend. As you may know, some of StackExchange's APIs are site-specific, requiring developers to run queries against every site the user is registered in.
So, here's my backend code for fetching timeline data from these sites. The feed_info_site variable holds the StackExchange site name (such as 'security', 'serverfault', etc.).
data = json.loads(urllib.urlopen("%sme/timeline?%s" %
(self.API_BASE_URL, urllib.urlencode({"pagesize": 100,
"fromdate": se_since_timestamp, "filter": "!9WWBR
(nmw", "site": feed_info_site, "access_token":
decrypt(self.API_ACCESS_TOKEN_SECRET, self.access_token), "key":
self.API_APP_KEY}))).read())
for item in data['items']:
... # code for parsing timeline items
When running this query on all sites except Stack Overflow, everything works OK. What's weird is, when the feed_info_site variable is set to 'stackoverflow', I get the following error from Google App Engine:
HTTPException: Invalid and/or missing SSL certificate for URL:
https://api.stackexchange.com/2.2/me/timeline?
filter=%219WWBR%28nmw&access_token=
<ACCESS_TOKEN_REMOVED>&fromdate=1&pagesize=100&key=
<API_KEY_REMOVED>&site=stackoverflow
Of course, if I run the same query in Safari, I get the JSON results I'm expecting from the API. So the problem really lies in Google's URLfetch service. I found several topics here on Stack Overflow related to similar HTTPS/SSL exceptions, but no accepted answer solved my problems. I tried removing cacerts.txt files. I also tried making the call with validate_certificate=False, with no success.
I think the problem is not strictly related to HTTPS/SSL. If so, how would you explain that changing a single API parameter would make the request to fail?
Wait for the next update to the app engine (scheduled one soon) then update.
Replace browserid.org/verify with another service (verifier.loogin.persona.org/verify is a good service hosted by Mozilla what could be used)
Make sure cacerts.txt doesnt exist (looks like you have sorted but just in-case :-) )
Attempt again
Good luck!
-Brendan
I was facing the same error, google has updated the app engine now, error resolved, please check the updated docs.

Redirect loop when logging in to appengine

(yes - cross-posted from the google-appengine google group...I can't tell if they answer support questions like this there or here or what...it's all kind of a mess :) )
I am having a problem logging in to the appengine console using certain accounts on my google apps domain (but not others).
No matter what browser I use (Firefox, Chrome, Safari, IE), I get a "too many redirects" error on https://appengine.google.com/start when I try to log in using a specific account. I have tried resetting all the browsers as well (clearing all cookies, cache, etc - even trying it on a clean install of an OS) - with no luck. Going directly to https://appengine.google.com/a/domain.name causes the same loop for those accounts. The same thing happens when running the browsers with privacy mode enabled.
One of the accounts having problems is the user nathan.toone on the k9webprotection.com google apps domain - however we can log in with the user "admin" or the user "build-agent" on the same domain just fine (but not "build.agent" or "user2"). It seems to be all over the place as to which accounts are able to log in without the redirect loop and which ones aren't.
I have contacted google apps for your domain support, and they have said that it is outside their scope. They very "helpfully" pointed me to https://developers.google.com/appengine/kb/general - which didn't help AT ALL. :(
Again - the odd thing is that there are some of the accounts on the same domain that are able to log in just fine. Does anyone have any idea what could be happening, or have a way for me to contact someone to get this worked out? I have found a couple of other people saying they have had this problem, but have not been able to encounter a solution.
-Nathan

Resources