Gae Auth Bundle Laravel Package

Getting Started

Minimal Setup

1. Installation Add the bundle to your composer.json:

   composer require chrisns/gae-auth-bundle
   

   Enable it in config/bundles.php:

   return [
       // ...
       Chrisns\GaeAuthBundle\GaeAuthBundle::class => ['all' => true],
   ];
   

2. Configuration Update config/packages/gae_auth.yaml (create if missing):

   gae_auth:
       enabled: true
       service_account_key: '%env(GAE_SERVICE_ACCOUNT_KEY)%'
       project_id: '%env(GAE_PROJECT_ID)%'
   

3. First Use Case Authenticate a user via Google App Engine (GAE) Identity Platform:

   use Chrisns\GaeAuthBundle\Service\GaeAuthService;
   
   $authService = $this->container->get(GaeAuthService::class);
   $user = $authService->authenticate($request);
   

Implementation Patterns

Workflow Integration

1. User Registration Extend FOSUserBundle's registration flow to validate GAE tokens:

   // src/EventListener/GaeAuthListener.php
   use Chrisns\GaeAuthBundle\Event\GaeAuthEvent;
   
   public function onRegistration(GaeAuthEvent $event) {
       $token = $event->getToken();
       if (!$this->validateGaeToken($token)) {
           throw new \RuntimeException('Invalid GAE token');
       }
   }
   

2. Login Flow Use the bundle’s GaeAuthListener to handle GAE auth in security.yaml:

   security:
       firewalls:
           main:
               pattern: ^/
               stateless: true
               anonymous: true
               provider: fos_userbundle
               entry_point: chrisns_gae_auth
   

3. User Sync Sync GAE user data with your User entity:

   $gaeUserData = $authService->fetchUserData($token);
   $user->setGoogleId($gaeUserData['sub']);
   $user->setEmail($gaeUserData['email']);
   $user->save();
   

Common Patterns

• Token Validation: Reuse GaeAuthService::validateToken() for custom endpoints.
• Role Assignment: Map GAE roles to Symfony roles via GaeAuthListener:

  gae_auth:
      role_mapping:
          'gae:admin' => 'ROLE_ADMIN'
  

Gotchas and Tips

Pitfalls

1. Token Expiry GAE tokens expire. Cache validated tokens (e.g., with Symfony\Component\Cache\Adapter\AdapterInterface):

   $cache = $this->container->get('cache.app');
   $token = $cache->get('gae_token_' . $userId);
   

2. Service Account Key

   • Never hardcode service_account_key. Use environment variables or Symfony’s %kernel.project_dir%/config/gae_key.json.
   • Permissions: Ensure the service account has identitytoolkit.GetAccountInfo scope.

3. FOSUserBundle Conflict

   • If using FOSUserBundle, override its UserManager to integrate GAE logic:

     $userManager->setGaeAuthService($authService);
     

Debugging Tips

• Enable Logging: Add to config/packages/monolog.yaml:

  handlers:
      gae_auth:
          type: stream
          path: '%kernel.logs_dir%/gae_auth.log'
          level: debug
  

• Test Locally: Use the GAE Emulator to mock auth responses.

Extension Points

1. Custom Claims Extend GaeAuthService to handle custom GAE claims:

   public function getCustomClaim($token, string $claimName) {
       $decoded = $this->decodeToken($token);
       return $decoded['custom_claims'][$claimName] ?? null;
   }
   

2. Multi-Provider Combine with other auth providers (e.g., OAuth) via a custom Authenticator:

   use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
   
   public function supports(Request $request) {
       return $request->headers->has('X-GAE-Token');
   }
   

3. Webhook Validation For server-to-server auth, validate tokens via GAE’s Identity Toolkit API:

   $client = new \Google_Client();
   $client->setAuthConfig($serviceAccountKey);
   $response = $client->getAccountInfo($token);