DEVHIDE
Login Or Sign up

PHP, Google Authentication and need to check validity of access_token on every page

169 Views Asked by At

I am a bit confused. I am playing around with Google Authentication in PHP. I have a index.php page which only has the link to my Google Authentication page which is called google-auth.php and is responsible for the authentication an receiving the access token. After successful authentication the user in being redirected to a welcome.php page. Both files look like this.

index.php

<a href="google-auth.php" class="field google">
<img src="images/google.png" alt="" class="google-img">
<span>Login with Google</span>

google-auth.php

$client = new Google_Client();
$client->setAuthConfig('...');
$client->setRedirectUri('http://localhost/php_google_login/index.php');
$client->addScope('email');

if (isset($_GET['code'])) {
    $token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
    $client->setAccessToken($token['access_token']);
    $oauth = new Google_Service_Oauth2($client);
    $userInfo = $oauth->userinfo->get();

    $email = $userInfo->email;
    $_SESSION['access_token'] = $token['access_token'];
    $user = new User();
    $_SESSION['user_db_id'] = $user->getIdByEmail($email);

    header("Location: welcome.php");
    exit();
} else {
    $authUrl = $client->createAuthUrl();
    header("Location: index.php");
}

So far it works. When i open index.php i am being redirected to the Google Authentication page. I type in my email address and being successfully redirected to welcome.php. It queries the database for the user id and stores it in a sesion variable (assumption is that the user exist or is being created by any mechanism).

But now the question how to secure the welcome.php or all other pages in my sandbox? Can i trust the $_SESSION variable? Cant it be "modified"? Or do i need to check on each page additionally the existence of the $_SESSION["access_token"] variable and check with Google_Client its validity?

I have found on the Google Documentation something like this, from my understanding validates the token:

require_once 'vendor/autoload.php';

// Get $id_token via HTTPS POST.

$client = new Google_Client(['client_id' => $CLIENT_ID]);  // Specify the CLIENT_ID of the app that accesses the backend
$payload = $client->verifyIdToken($id_token);
if ($payload) {
  $userid = $payload['sub'];
  // If request specified a G Suite domain:
  //$domain = $payload['hd'];
} else {
  // Invalid ID token
}

I am confused what would be best practice. What is trustworthy and unchangeable in terms of variables?

php google-oauth access-token google-auth-library
Original Q&A
0

There are 0 best solutions below

Related Questions in PHP

Related Questions in GOOGLE-OAUTH

Related Questions in ACCESS-TOKEN

Related Questions in GOOGLE-AUTH-LIBRARY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

dbora

Copyright © 2021 Jogjafile Inc.