Fix #84 - Reverse proxy guard authenticates even with invalid headers

Bubka · May 18, 2022 · 0199ad3 · 0199ad3
1 parent c2edd69
commit 0199ad3
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/app/Services/Auth/ReverseProxyGuard.php b/app/Services/Auth/ReverseProxyGuard.php
@@ -69,7 +69,8 @@ public function user()
         $user = null;
 
         // Get the user identifier from $_SERVER or apache filtered headers
-        $remoteUserHeader = config('auth.auth_proxy_headers.user', 'REMOTE_USER');
+        $remoteUserHeader = config('auth.auth_proxy_headers.user');
+        $remoteUserHeader = $remoteUserHeader ?: 'REMOTE_USER';
 
         try {
             $identifier['user'] = request()->server($remoteUserHeader) ?? apache_request_headers()[$remoteUserHeader] ?? null;
@@ -78,8 +79,8 @@ public function user()
             $identifier['user'] = null;
         }
 
-        if (! $identifier['user']) {
-            Log::error(sprintf('No user in header "%s".', $remoteUserHeader));
+        if (!$identifier['user'] || is_array($identifier['user'])) {
+            Log::error(sprintf('Proxy remote-user header "%s" is empty or missing.', $remoteUserHeader));
             return $this->user = null;
         }