Secure the App Engine -> Django relay view

[ejucovy]

The HTTP POST from App Engine to the Django site should be over HTTPS:

• Is it straightforward to make an https request with App Engine's make_fetch_call?
• How do we configure that particular Django view to receive calls over HTTPS instead of HTTP? It looks like the login view is already HTTPS on the dev server, and all other URLs redirect HTTPS to HTTP, so this is presumably already configured somewhere.

That is probably sufficient; but we may additionally want to ensure that only the trusted App Engine server can post messages to the Django site. For example:

• We could only accept connections from a known IP address, but App Engine doesn't give you static IP.
• We could sign the request with some shared secret.

[ejucovy]

How do we configure that particular Django view to receive calls over HTTPS instead of HTTP? It looks like the login view is already HTTPS on the dev server, and all other URLs redirect HTTPS to HTTP, so this is presumably already configured somewhere.

This behavior is set in the nginx conf -- https://github.com/350org/localpower/blob/master/fabfile/server_config_files/nginx/rah_base_https and https://github.com/350org/localpower/blob/master/fabfile/server_config_files/nginx/rah_base_http redirect requests to https/http according to the path info, so we'd just need to add another entry to both of those checks.

[ejucovy]

Is it straightforward to make an https request with App Engine's make_fetch_call?

The online documentation (http://code.google.com/appengine/docs/python/urlfetch/asynchronousrequests.html) indicates that it is -- the url parameter is defined as "an http or https URL."

[ejucovy]

I think a shared secret would be a reasonable extra layer. This should probably use the same infrastructure described in #12 (backported from Django 1.4 series)

This shared secret should presumably be distinct from the Django site's default SECRET_KEY.