4

I am using Google OAuth through Laravel Socialite to authenticate all the users in my web app.

I need the user session to end as soon as possible if user logs out of his google account.

I am trying to set up a middleware that would perform regular checks if user is still signed in with google. But I can't find a way to ask "Is user@example.com still the current user on google?"

I tried to get \Socialite::driver('google')->user() in the middleware but that doesn't seem to work without doing a redirect to google beforehand. I would like this check to be as quick and unobtrusive as possible. It should also work during a background ajax call.

It seems that it would be trivial using the client side authentication as there is gapi.auth2.init().isSignedIn.get(). However, that would mean I have to ask users for two authorizations (server side and client side) which seems wrong.

Looking at the docs at google, I see nothing that would let me check their authentication status apart from reauthenticating. Access token won't expire on logout... Is there a workaround?

Džuris
  • 2,115
  • 3
  • 27
  • 55

1 Answers1

2

It turns out that we can actually use gapi javascript in tandem with Socialite - just use the same client token. I didn't suspect that I will just get all the info without logging in separately for browser session, but it works.

I added the following code to the end of my master blade template to check state for authorized users.

@auth
<script>
    var currentUserEmail = '{{Auth::user()->email}}';  // user "sameness" criterion
    var googleClientId = '{{env('GOOGLE_ID')}}';  // the same oauth client id
</script>
<script src="https://apis.google.com/js/platform.js"></script>
<script src="{{mix('js/checkGoogleAuth.js')}}"></script>
@endauth

The script checkGoogleAuth is a simple then, I copied the google tutorial and shortened it:

var auth2; // The Sign-In object.
var googleUser; // The current user.

/**
 * Initializes Signin v2 and sets up listeners.
 */
var initSigninV2 = function() {
  auth2 = gapi.auth2.init({
      client_id: googleClientId,
      scope: 'profile'
  });

  // Listen for sign-in state changes.
  auth2.isSignedIn.listen(checkState);
  auth2.currentUser.listen(checkState);
};

var checkState = function (user) {
    //if signed out or changed user
    if (!auth2.isSignedIn.get() || currentUserEmail != auth2.currentUser.get().getBasicProfile().getEmail())
        $('.logout-username').click();  //click logout button
};

gapi.load('auth2', initSigninV2);  //launch it

I hope it helps someone else as well!

Džuris
  • 2,115
  • 3
  • 27
  • 55
  • It appears that this is broken for Safari 13.* Otherwise, works great :) Thanks! – Brad Ahrens Jan 29 '20 at 18:27
  • There also seems to be a problem if someone is logged in on multiple accounts. It seems to happen when they are logged into another account first and then the main account that you are checking for. – Brad Ahrens Jan 29 '20 at 18:45
  • You are right, this glitches from time to time when people use multiple accounts on the same browser. I would appreciate another answer myself if you got a good solution for that. – Džuris Jan 29 '20 at 23:10