google-api-php-client: authenticate() accepts invalid tokens

The following code does work for me without any error, it gives me all user details:

/* Verify Google session. */
$client = new Google_Client();
$client->setAccessType('online');
$client->setClientId(GOOGLE_CLIENT_ID);
$client->setClientSecret(GOOGLE_CLIENT_SECRET);
$client->setRedirectUri(oauth_get_current_uri());
$client->setScopes(array("https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"));

$code = substr($_GET['code'], 0, -3) . '123';
$client->authenticate($code);

/* Request user info from Google. */
$google_oauthV2 = new Google_Service_Oauth2($client);
$user_info = $google_oauthV2->userinfo->get();

Since I modify the code that I receive from Google, I would expect the call to authenticate() or at least the userinfo->get() call to fail. However, no error occurs, I get all user info.

Is this a bug, or do I miss something essential here?

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 16 (5 by maintainers)

Most upvoted comments

it should be

if (isset($_GET['code'])) {
    $client->authenticate($_GET['code']);
+1
bshaffer on Nov 16, 2015
Read more comments on GitHub
← google-api-nodejs-client: UnhandledPromiseRejectionWarning: Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
google-api-php-client: Cannot download a google drive file with the correct filename →