adding login: required to app.yaml still gives access to everyone with google account

Question

We migrating our (php) website to GAE standard and 'rebuilding' it with Laravel. Our website contains a folder called /admin which we do not want to be available for the public. So i've put this in the app.yaml file:

- url: /admin
   secure: always
   redirect_http_response_code: 301
   script: auto
   login: required

This does (kind of) work. If i go to the default url everyone can see it. if i add /admin to it i have to login with my google account first. Problem is that i thought this would only work for our own google accounts, but it seems that everybody with a google account can log in and access the /admin part of our website.

What am i doing wrong, or is this maybe not possible to have a public and a private part of the app engine service?

Answer 1

1. That is expected behavior. According to the documentation,

When a URL handler with a login setting other than optional matches a URL, the handler first checks whether the user has signed in to the application using its authentication option.

2. If you have a Google workspace account and you only want folks on that to login, then the documentation for authentication option says

By default, your app will use Google Accounts for authentication. To choose another option, such as Google Workspace domain, go to the settings page for your project in the Google Cloud console and click Edit. In the Google authentication dropdown menu, select the desired authentication type, and then click Save.

3. If you don't have a Google workspace account and you only want 'select' people with google accounts to login, then you can consider changing it from login: required to login: admin which would mean only administrators of the project will be able to login. As the documentation says

In addition, if the user is not an administrator for the application, they are given an error message regardless of the auth_fail_action setting. If the user is an administrator, the handler proceeds.