Make audience signing optional

Author: Tarpsvo

README.md

@@ -45,6 +45,7 @@ Please check the [Laravel support policy](https://laravel.com/docs/master/releas
       'handler' => env('STACKKIT_CLOUD_TASKS_HANDLER', ''),
       'queue' => env('STACKKIT_CLOUD_TASKS_QUEUE', 'default'),
       'service_account_email' => env('STACKKIT_CLOUD_TASKS_SERVICE_EMAIL', ''),
+      'signed_audience' => env('STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE', false),
       // Optional: The deadline in seconds for requests sent to the worker. If the worker
       // does not respond by this deadline then the request is cancelled and the attempt
       // is marked as a DEADLINE_EXCEEDED failure.
@@ -70,6 +71,7 @@ Please check the table below on what the values mean and what their value should
 | `STACKKIT_CLOUD_TASKS_QUEUE`         | The default queue a job will be added to                                                                                                                                                  |`emails`
 | `STACKKIT_CLOUD_TASKS_SERVICE_EMAIL` | The email address of the service account. Important, it should have the correct roles. See the section below which roles.                                                        |`my-service-account@appspot.gserviceaccount.com`
 | `STACKKIT_CLOUD_TASKS_HANDLER` (optional) | The URL that Cloud Tasks will call to process a job. This should be the URL to your Laravel app. By default we will use the URL that dispatched the job. |`https://<your website>.com`
+| `STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE` (optional) | True or false depending if you want extra security by signing the audience of your tasks. May misbehave in certain Cloud Run setups. Defaults to false. | `false`
 </details>
 <details>
 <summary>

src/CloudTasksQueue.php

@@ -132,12 +132,13 @@ function ($payload, $queue, $delay) {
      */
     protected function pushToCloudTasks($queue, $payload, $delay = 0)
     {
+        $handleTargetUrl = $this->getHandler();
         $queue = $this->getQueue($queue);
         $queueName = $this->client->queueName($this->config['project'], $this->config['location'], $queue);
         $availableAt = $this->availableAt($delay);
 
         $httpRequest = $this->createHttpRequest();
-        $httpRequest->setUrl($this->getHandler());
+        $httpRequest->setUrl($handleTargetUrl);
         $httpRequest->setHttpMethod(HttpMethod::POST);
 
         $payload = json_decode($payload, true);
@@ -167,14 +168,14 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0)
 
         $token = new OidcToken;
         $token->setServiceAccountEmail($this->config['service_account_email']);
-        $token->setAudience(hash_hmac('sha256', $this->getHandler(), config('app.key')));
+        $token->setAudience($this->getAudience());
         $httpRequest->setOidcToken($token);
 
         if ($availableAt > time()) {
             $task->setScheduleTime(new Timestamp(['seconds' => $availableAt]));
         }
 
-        $createdTask = CloudTasksApi::createTask($queueName, $task);
+        CloudTasksApi::createTask($queueName, $task);
 
         event((new TaskCreated)->queue($queue)->task($task));
 
@@ -268,4 +269,9 @@ public function getHandler(): string
     {
         return Config::getHandler($this->config['handler']);
     }
+
+    public function getAudience(): string
+    {
+        return Config::getAudience($this->config);
+    }
 }

src/Config.php

@@ -82,4 +82,16 @@ public static function getHandler($handler): string
             );
         }
     }
+
+    /**
+     * @param string $handler
+     */
+    public static function getAudience(array $config): string
+    {
+        $handler = self::getHandler($config['handler']);
+
+        return $config['signed_audience'] ?? false
+            ? hash_hmac('sha256', $handler, config('app.key'))
+            : $handler;
+    }
 }

src/OpenIdVerificatorConcrete.php

@@ -18,7 +18,7 @@ public function verify(?string $token, array $config): void
         (new AccessToken())->verify(
             $token,
             [
-                'audience' => hash_hmac('sha256', app('queue')->getHandler(), config('app.key')),
+                'audience' => Config::getAudience($config),
                 'throwException' => true,
             ]
         );

src/OpenIdVerificatorFake.php

@@ -17,7 +17,7 @@ public function verify(?string $token, array $config): void
         (new AccessToken())->verify(
             $token,
             [
-                'audience' => hash_hmac('sha256', app('queue')->getHandler(), config('app.key')),
+                'audience' => Config::getAudience($config),
                 'throwException' => true,
                 'certsLocation' => __DIR__ . '/../tests/Support/self-signed-public-key-as-jwk.json',
             ]