Hello Amir, You are right, there are red flags and warnings. By default, API methods do not allow cookie authentication, and require the use of OAuth2. You incur the risk of Cross-Site Request Forgery (CSRF <https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet> ). It is recommended <https://cloud.google.com/endpoints/docs/frameworks/legacy/v1/java/javadoc/com/google/api/server/spi/config/ApiAuth.html#allowCookieAuth--> to be very cautious in enabling this setting, and make sure to require appropriate XSRF tokens to protect your API.
Have you weighed the option of rather re-writing and implementing the recommended Oauth2 authentication <https://cloud.google.com/endpoints/docs/frameworks/legacy/v1/java/annotations>: "For OAuth2 authentication, an OAuth2 token is issued to a specific client ID, which means that this client ID can be used for restricting access to your APIs. When you register an iOS or Android application in the Google Cloud Platform Console, you create a client ID for it. This client ID is the one requesting an OAuth2 token from Google for authentication purposes. When the back-end API is protected by auth, an OAuth2 access token is sent and opened by Google Cloud Endpoints, the client ID is extracted from the token, and then the ID is compared to the backend's declared acceptable Client ID list (the clientIds list)." You can find related information in the "google endpoints (java), session cookies and iOS" thread <https://groups.google.com/forum/#!topic/google-appengine/HJTJhsQG6Ws>. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/a6d58464-241b-4782-81fe-62aa987f9b0e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
