Description
I am wondering why during the IdTokenValidation TaskHandler.php there is no check if the service account listed in the token matches the service account configured via STACKKIT_CLOUD_TASKS_SERVICE_EMAIL.
Without this check it would be possible to invoke the handle service route from a different queue.
Example - Assuming there are 2 cloud run services in 2 different google projects. Service A in project P1 and Service B in project P2.
Service A has the endpoint a-xyz.a.run.app/handle-task
Service B has the endpoint b-xyz.a.run.app/handle-task
Service A configures its STACKKIT_CLOUD_TASKS_HANDLER to point to Service B (b-xyz.a.run.app/handle-task).
Service A has a service account configured via STACKKIT_CLOUD_TASKS_SERVICE_EMAIL which has permission to add the task to its queue.
When the queue wants the task (created by service A) to be executed, the handle-task route from Service B is called. Within Service B the verifyToken will result in a valid google token and therefore the task is executed.