From 05140609b212ce552d3d586032a53682c36bd9e6 Mon Sep 17 00:00:00 2001
From: Naoki Ikeguchi <n_ikeguchi@yumemi.co.jp>
Date: Fri, 2 Jun 2023 00:45:52 +0900
Subject: [PATCH] fix: Fix conditional logic

---
 src/Http/GoogleIapGuard.php | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/Http/GoogleIapGuard.php b/src/Http/GoogleIapGuard.php
index f0de3ec..2b361c9 100644
--- a/src/Http/GoogleIapGuard.php
+++ b/src/Http/GoogleIapGuard.php
@@ -34,20 +34,20 @@ public function __construct(
      */
     public function callback(): ?Authenticatable
     {
-        if (!\is_string($jwt = $this->request->header('x-goog-iap-jwt-assertion'))) {
-            // Required HTTP header is not provided.
-            return null;
-        }
+        /** @var null|Claims $claims */
+        $claims = null;
 
-        try {
-            $id = Assert::nonEmptyStringOrNull($this->request->header('x-goog-authenticated-user-id'));
-            $email = Assert::nonEmptyStringOrNull($this->request->header('x-goog-authenticated-user-email'));
-            $hd = ($email === null ? null : Assert::nonEmptyString(explode('@', $email)[1])) ?? 'example.com';
-        } catch (AssertionException $e) {
-            throw new MalformedClaimsException($e);
-        }
+        if (\is_string($jwt = $this->request->header('x-goog-iap-jwt-assertion'))) {
+            $claims = $this->googleIdTokenVerifier->verify($jwt);
+        } elseif ($this->options['allow_insecure_headers'] ?? false) {
+            try {
+                $id = Assert::nonEmptyStringOrNull($this->request->header('x-goog-authenticated-user-id'));
+                $email = Assert::nonEmptyStringOrNull($this->request->header('x-goog-authenticated-user-email'));
+                $hd = ($email === null ? null : Assert::nonEmptyString(explode('@', $email)[1])) ?? 'example.com';
+            } catch (AssertionException $e) {
+                throw new MalformedClaimsException($e);
+            }
 
-        if (($this->options['allow_insecure_headers'] ?? false) && ($id !== null || $email !== null)) {
             $claims = new Claims([
                 'exp' => \PHP_INT_MAX,
                 'iat' => 1,
@@ -57,7 +57,9 @@ public function callback(): ?Authenticatable
                 'sub' => $id ?? 'accounts.google.com:0',
                 'email' => $email ?? 'accounts.google.com:insecure@example.com',
             ]);
-        } elseif (!($claims = $this->googleIdTokenVerifier->verify($jwt)) instanceof Claims) {
+        }
+
+        if (!$claims instanceof Claims) {
             return null;
         }