Verify OpenID aud claim and added tests

Author: marickvantuil

README.md

@@ -41,13 +41,19 @@ Please check the table below for supported Laravel and PHP versions:
 composer require stackkit/laravel-google-cloud-scheduler
 ```
 
+(2) Define the `STACKKIT_CLOUD_SCHEDULER_APP_URL` environment variable. This should be the URL defined in the `URL` field of your Cloud Scheduler job.
+
+```
+STACKKIT_CLOUD_SCHEDULER_APP_URL=https://yourdomainname.com/cloud-scheduler-job
+```
+
 # Cloud Scheduler Example
 
 Here is an example job that will run `php artisan inspire` every minute.
 
 These are the most important settings:
 - Target must be `HTTP`
-- URL must be `yourdomainname.com/cloud-scheduler-job`
+- URL must be `https://yourdomainname.com/cloud-scheduler-job`
 - Auth header must be OIDC token!
 
 <img src="/example.png">

config/laravel-google-cloud-scheduler.php

@@ -0,0 +1,5 @@
+<?php
+
+return [
+    'app_url' => env('STACKKIT_CLOUD_SCHEDULER_APP_URL'),
+];

src/CloudSchedulerServiceProvider.php

@@ -12,6 +12,11 @@ public function boot(Router $router)
         $this->registerRoutes($router);
     }
 
+    public function register()
+    {
+        $this->mergeConfigFrom(__DIR__ . '/../config/laravel-google-cloud-scheduler.php', 'laravel-google-cloud-scheduler');
+    }
+
     private function registerRoutes(Router $router)
     {
         $router->post('cloud-scheduler-job', [TaskHandler::class, 'handle']);

src/OpenIdVerificator.php

@@ -8,6 +8,7 @@
 use Illuminate\Support\Facades\Cache;
 use phpseclib\Crypt\RSA;
 use phpseclib\Math\BigInteger;
+use Throwable;
 
 class OpenIdVerificator
 {
@@ -26,13 +27,8 @@ public function __construct(Client $guzzle, RSA $rsa, JWT $jwt)
         $this->jwt = $jwt;
     }
 
-    public function guardAgainstInvalidOpenIdToken($token)
+    public function guardAgainstInvalidOpenIdToken($decodedToken)
     {
-        $kid = $this->getKidFromOpenIdToken($token);
-        $publicKey = $this->getPublicKey($kid);
-
-        $decodedToken = $this->jwt->decode($token, $publicKey, ['RS256']);
-
         /**
          * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
          */
@@ -44,6 +40,22 @@ public function guardAgainstInvalidOpenIdToken($token)
         if ($decodedToken->exp < time()) {
             throw new CloudSchedulerException('The given OpenID token has expired');
         }
+
+        if ($decodedToken->aud !== config('laravel-google-cloud-scheduler.app_url')) {
+            throw new CloudSchedulerException('The given OpenID token is not valid');
+        }
+    }
+
+    public function decodeToken($token)
+    {
+        try {
+            $kid = $this->getKidFromOpenIdToken($token);
+            $publicKey = $this->getPublicKey($kid);
+
+            return $this->jwt->decode($token, $publicKey, ['RS256']);
+        } catch (Throwable $e) {
+            throw new CloudSchedulerException('Could not decode token');
+        }
     }
 
     public function getPublicKey($kid = null)

src/TaskHandler.php

@@ -4,7 +4,6 @@
 
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Artisan;
-use Throwable;
 
 class TaskHandler
 {
@@ -46,11 +45,9 @@ private function authorizeRequest()
 
         $openIdToken = $this->request->bearerToken();
 
-        try {
-            $this->openId->guardAgainstInvalidOpenIdToken($openIdToken);
-        } catch (Throwable $e) {
-            throw new CloudSchedulerException('Unauthorized');
-        }
+        $decodedToken = $this->openId->decodeToken($openIdToken);
+
+        $this->openId->guardAgainstInvalidOpenIdToken($decodedToken);
     }
 
     private function cleanOutput($output)

tests/TaskHandlerTest.php

@@ -10,6 +10,7 @@
 use Stackkit\LaravelGoogleCloudScheduler\Command;
 use Stackkit\LaravelGoogleCloudScheduler\OpenIdVerificator;
 use Stackkit\LaravelGoogleCloudScheduler\TaskHandler;
+use Throwable;
 
 class TaskHandlerTest extends TestCase
 {
@@ -43,6 +44,7 @@ public function it_executes_the_incoming_command()
     {
         $this->fakeCommand->shouldReceive('capture')->andReturn('env');
         $this->openId->shouldReceive('guardAgainstInvalidOpenIdToken')->andReturnNull();
+        $this->openId->shouldReceive('decodeToken')->andReturnNull();
 
         $output = $this->taskHandler->handle();
 
@@ -72,7 +74,61 @@ public function it_requires_a_jwt_signed_by_google()
         $this->request->headers->add(['Authorization' => 'Bearer ' . $dummyJwt]);
 
         $this->expectException(CloudSchedulerException::class);
-        $this->expectExceptionMessage('Unauthorized');
+        $this->expectExceptionMessage('Could not decode token');
+
+        $this->taskHandler->handle();
+    }
+
+    /** @test */
+    public function the_issue_identifier_should_be_google()
+    {
+        $this->expectExceptionMessage('The given OpenID token is not valid');
+
+        $this->openId->shouldReceive('decodeToken')->andReturn((object) [
+            'iss' => 'accounts.not-google.com',
+        ]);
+
+        $this->taskHandler->handle();
+    }
+
+    /** @test */
+    public function the_token_must_not_be_expired()
+    {
+        $this->expectExceptionMessage('The given OpenID token has expired');
+
+        $this->openId->shouldReceive('decodeToken')->andReturn((object) [
+            'iss' => 'accounts.google.com',
+            'exp' => time() - 10,
+        ]);
+
+        $this->taskHandler->handle();
+    }
+
+    /** @test */
+    public function the_aud_claim_must_be_the_same_as_the_app_id()
+    {
+        config()->set('laravel-google-cloud-scheduler.app_url', 'my-application.com');
+        $this->fakeCommand->shouldReceive('capture')->andReturn('env');
+        $this->openId->shouldReceive('decodeToken')->andReturn((object) [
+            'iss' => 'accounts.google.com',
+            'exp' => time() + 10,
+            'aud' => 'my-application.com',
+        ])->byDefault();
+
+        try {
+            $this->taskHandler->handle();
+        } catch (Throwable $e) {
+            $this->fail('The command should not have thrown an exception');
+        }
+
+        $this->openId->shouldReceive('decodeToken')->andReturn((object) [
+            'iss' => 'accounts.google.com',
+            'exp' => time() + 10,
+            'aud' => 'my-other-application.com',
+        ]);
+
+        $this->expectException(CloudSchedulerException::class);
+        $this->expectExceptionMessage('The given OpenID token is not valid');
 
         $this->taskHandler->handle();
     }