We migrating our (php) website to GAE standard and 'rebuilding' it with Laravel. Our website contains a folder called /admin which we do not want to be available for the public. So i've put this in the app.yaml file:
- url: /admin
secure: always
redirect_http_response_code: 301
script: auto
login: required
This does (kind of) work. If i go to the default url everyone can see it. if i add /admin to it i have to login with my google account first. Problem is that i thought this would only work for our own google accounts, but it seems that everybody with a google account can log in and access the /admin part of our website.
What am i doing wrong, or is this maybe not possible to have a public and a private part of the app engine service?
When a URL handler with a login setting other than optional matches a URL, the handler first checks whether the user has signed in to the application using its authentication option.
By default, your app will use Google Accounts for authentication. To choose another option, such as Google Workspace domain, go to the settings page for your project in the Google Cloud console and click Edit. In the Google authentication dropdown menu, select the desired authentication type, and then click Save.
login: required to login: admin which would mean only administrators of the project will be able to login. As the documentation saysIn addition, if the user is not an administrator for the application, they are given an error message regardless of the auth_fail_action setting. If the user is an administrator, the handler proceeds.