Google App Engine makes it easy to deploy NodeJS applications. The GAE Standard Environment and SDK support NodeJS out of the box. This makes Google App Engine a great choice ahead of competitors such as Heroku, AWS or Microsoft Azure. Unfortunately though, there’s no support for managing secrets in Google App Engine. When I deployed Dog n Bone to GAE, I found this single shortcoming the main source of complexity.
There are however some workarounds. None of them is particularly nice though.
When I built out Dog n Bone – a browser phone powered by Twilio, I found that behavior on providing an incorrect accountSid / authToken was not quite what I expected. This post details how I detected Twilio API login failures in Dog n Bone.
Twilio uses ClientCapability tokens to grant access to API features. The back end obtains a ClientCapability object using a Twilio accountSid and authToken. It sets scopes on the ClientCapability to grant only necessary permissions on that account. API requests in the front end authenticate using the JWT created from the CapabilityToken. This mechanism allows the front end to authenticate to the API without exposing the Twilio accountSid / authToken.