The solution will depend on how much you care about thwarting would-be malcontents that have access to the app. Presumably you need to password protect aspects of the application because it's going to be interfacing to external systems (other software that may connect to databases, write/read files, control I/O, etc).
Anything you implement purely in a G Web app can be circumvented by anyone with a bit of time and ability to use the developer tools built into any modern web browser. String constants you use on block diagrams will be accessible to anyone looking at the source of the files loaded by the web browser (take a look at the .via.txt file that'll show up in the network / sources tab of chrome et al). If all you need to do is provide a minimal level of protection to prevent the unsavvy from mucking about in your app, then this certainly might be suitable for doing the access control within the G Web app itself. If this works and you want the better user experience then I'd create separate web pages in G Web and the "login" page can send a user to the other page if the entered info matches. However anyone that gets access to that page could then bookmark it and even share the link to others potentially bringing you back to the original problem. There are varying levels of tricks that could be played, such as embedding a timestamp as a query parameter in every request and then if this isn't up to date or not present you could redirect users back to login but this fails as soon as someone finds out how that parameter works.
Ideally, you have some backend software running (perhaps a LV Web Service) that handles the auth checks and would handle any requests to other services such as databases, files, test control, etc. that could be ignored if valid auth info isn't available.
