Simplify authorization with simple token instead of hacky signed audience

Author: marickvantuil

README.md

@@ -35,6 +35,12 @@ Please check the [Laravel support policy](https://laravel.com/docs/master/releas
   composer require stackkit/laravel-google-cloud-tasks-queue
   ```
 
+  Publish the service provider:
+
+   ```console
+   php artisan vendor:publish --provider=cloud-tasks
+   ```
+
   Add a new queue connection to `config/queue.php`
 
   ```php
@@ -51,7 +57,6 @@ Please check the [Laravel support policy](https://laravel.com/docs/master/releas
       // Required when not using AppEngine
       'handler'               => env('STACKKIT_CLOUD_TASKS_HANDLER', ''),
       'service_account_email' => env('STACKKIT_CLOUD_TASKS_SERVICE_EMAIL', ''),
-      'signed_audience'       => env('STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE', true),
 
       // Optional: The deadline in seconds for requests sent to the worker. If the worker
       // does not respond by this deadline then the request is cancelled and the attempt
@@ -61,7 +66,17 @@ Please check the [Laravel support policy](https://laravel.com/docs/master/releas
   ],
   ```
 
-Update the `QUEUE_CONNECTION` environment variable
+If you are using separate services for dispatching and handling tasks, you may want to change the following settings:
+
+```php
+// config/cloud-tasks.php
+
+// If the application only dispatches jobs
+'disable_task_handler' => env('STACKKIT_CLOUD_TASKS_DISABLE_TASK_HANDLER', false),
+
+// If the application only handles jobs and is secured by already (e.g. requires Authentication)
+'disable_security_key_verification' => env('STACKKIT_CLOUD_TASKS_DISABLE_SECURITY_KEY_VERIFICATION', false),
+```
 
   ```dotenv
   QUEUE_CONNECTION=cloudtasks
@@ -82,7 +97,6 @@ Please check the table below on what the values mean and what their value should
 | **Non- App Engine apps**
 | `STACKKIT_CLOUD_TASKS_SERVICE_EMAIL`   (optional) | The email address of the service account. Important, it should have the correct roles. See the section below which roles.                                |`my-service-account@appspot.gserviceaccount.com`
 | `STACKKIT_CLOUD_TASKS_HANDLER` (optional)         | The URL that Cloud Tasks will call to process a job. This should be the URL to your Laravel app. By default we will use the URL that dispatched the job. |`https://<your website>.com`
-| `STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE` (optional) | True or false depending if you want extra security by signing the audience of your tasks. May misbehave in certain Cloud Run setups. Defaults to true.   | `true`
 </details>
 <details>
 <summary>

composer.json

@@ -11,7 +11,6 @@
         "php": "^8.1",
         "ext-json": "*",
         "phpseclib/phpseclib": "^3.0",
-        "google/auth": "^v1.29.1",
         "google/cloud-tasks": "^1.10",
         "thecodingmachine/safe": "^1.0|^2.0"
     },

config/cloud-tasks.php

@@ -3,6 +3,12 @@
 declare(strict_types=1);
 
 return [
+    // If the application only dispatches jobs
+    'disable_task_handler' => env('STACKKIT_CLOUD_TASKS_DISABLE_TASK_HANDLER', false),
+
+    // If the application only handles jobs and is secured by already (e.g. requires Authentication)
+    'disable_security_key_verification' => env('STACKKIT_CLOUD_TASKS_DISABLE_SECURITY_KEY_VERIFICATION', false),
+
     'dashboard' => [
         'enabled' => env('STACKKIT_CLOUD_TASKS_DASHBOARD_ENABLED', false),
         'password' => env('STACKKIT_CLOUD_TASKS_DASHBOARD_PASSWORD', 'MyPassword1!'),

src/CloudTasksQueue.php

@@ -120,6 +120,7 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0)
         $payload = $this->withQueueName($payload, $queue);
         $payload = $this->withTaskName($payload, $task->getName());
         $payload = $this->withConnectionName($payload, $this->getConnectionName());
+        $payload = $this->withSecurityKey($payload);
 
         if (! empty($this->config['app_engine'])) {
             $path = \Safe\parse_url(route('cloud-tasks.handle-task'), PHP_URL_PATH);
@@ -143,9 +144,6 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0)
 
             $token = new OidcToken;
             $token->setServiceAccountEmail($this->config['service_account_email']);
-            if ($audience = $this->getAudience()) {
-                $token->setAudience($audience);
-            }
             $httpRequest->setOidcToken($token);
             $task->setHttpRequest($httpRequest);
         }
@@ -221,6 +219,13 @@ private function withConnectionName(array $payload, string $connectionName): arr
         return $payload;
     }
 
+    private function withSecurityKey(array $payload): array
+    {
+        $payload['internal']['securityKey'] = encrypt($this->config['security_key'] ?? $payload['uuid']);
+
+        return $payload;
+    }
+
     /**
      * Pop the next job off of the queue.
      *
@@ -257,9 +262,4 @@ public function getHandler(): string
             default => $handler,
         };
     }
-
-    public function getAudience(): ?string
-    {
-        return Config::getAudience($this->config);
-    }
 }

src/CloudTasksServiceProvider.php

@@ -29,7 +29,6 @@ private function registerClient(): void
             return new CloudTasksClient();
         });
 
-        $this->app->bind('open-id-verificator', OpenIdVerificatorConcrete::class);
         $this->app->bind('cloud-tasks-api', CloudTasksApiConcrete::class);
     }
 
@@ -56,6 +55,10 @@ private function registerConfig(): void
 
     private function registerRoutes(): void
     {
+        if (config('cloud-tasks.disable_task_handler')) {
+            return;
+        }
+
         /**
          * @var \Illuminate\Routing\Router $router
          */