cloud.users api throwing assert error on local development

[nicopinto]

When trying to use users.get_current_user(), this line gives an assertion error which prevents the app from running locally: https://github.com/google/gae-secure-scaffold-python3/blob/master/src/securescaffold/contrib/appengine/users.py#L69

As a current solution we wrap it in a try/catch, using a default email on an exception.

Is possible to have a mock user for a local environment, or similar?

[davidwtbuxton]

Hi, I have a vague memory that this surprising behaviour is exactly what the old google.appengine.api.users implementation does.

I wonder whether there is a difference here between the Py3 and Py2 request environments, since the user security headers only appear when IAP is enabled for the Py3 env.

[tushuhei]

Perhaps dev_appserver.py is doing some magic in PY2 environment? PY3 users may just run the Flask app (i.e. python main.py), which doesn't simulate GAE special headers.

[davidwtbuxton]

Yep yep. So we could definitely change the implementation so it doesn't raise AssertionError when the request header is missing or empty, but that would be slightly different to what the Py2 users API does.

Or we could help devs by documenting that the header has to be present for tests and local development.

I suspect that it is better to change this to not raise AssertionError, but I'd like to understand better exactly what the old request environment was compared to the Py3 request environment with and without IAP enabled.

[davidwtbuxton]

Source for Py2 users API: https://cloud.google.com/appengine/docs/standard/python/refdocs/modules/google/appengine/api/users#User

[nicopinto]

Right, makes sense, but since we don't have the dev_appserver.py as tushuhei mentioned, maybe is possible to have the local headers as part of the settings.py and include that in the docs?

[tushuhei]

I made a PR https://github.com/google/gae-secure-scaffold-python3/pull/4 to mock a user on the local development server. @davidwtbuxton Could you take a look and give me suggestions if any?

[davidwtbuxton]

@tushuhei Thanks for creating PR #4 to fix this problem, much appreciated.

Going back to my comment above what do you think if we change the implementation of secure scaffold.contrib.appengine.users:User so that it does not raise an AssertionError when the auth domain is missing on a request?

I looked at this a couple of weeks ago. Effectively the Py27 runtime has a default of "gmail.com" for this auth domain, so the equivalent Users API code never hit this case of a missing auth domain.

I see your PR has very helpful instructions and code for setting the user details when running tests. There's a helper with the same purpose - would this cover your use case?

https://github.com/google/gae-secure-scaffold-python3/blob/master/src/securescaffold/contrib/appengine/tests/test_users.py#L26

[Andrioden]

Workaround is setting

os.environ["AUTH_DOMAIN"] = 'gmail.com'