Skip to content

Commit

Permalink
Fixing Token Header Auth (#1863)
Browse files Browse the repository at this point in the history 
So it looks like Silex removes the `Authorization` header for some
reason so I've added a fall back of checking the results of the PHP
built in function `getallheaders`.

I also added a couple of comments to help with reading things after the
fact.

Co-authored-by: Ryan Rathsam <rrathsam@gmail.com>
  • Loading branch information
@ryanrath @spark0r
ryanrath and spark0r authored Jun 7, 2024
1 parent 366af42 commit 22941db
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion classes/Rest/Controllers/BaseControllerProvider.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -756,6 +756,8 @@ protected function getTimestamp($date, $paramName = 'date', $format = 'Y-m-d')
}

/**
* Attempt to authorize the the provided `$request` via an included API Token.
*
* @param Request $request
* @return \XDUser
* @throws BadRequestHttpException if the provided token is empty, or there is not a provided token.
Expand All @@ -765,12 +767,25 @@ protected function authenticateToken($request)
{
// NOTE: While we prefer token's to be pulled from the 'Authorization' header, we also support a fallback lookup
// to the request's query params.
$authorizationHeader = $request->headers->get('Authorization');

// Also, we check `getallheaders` because for some reason Silex seems to gobble up the `Authorization` header.
$allHeaders = getallheaders();

$authorizationHeader = null;
if ($request->headers->has('Authorization')) {
$authorizationHeader = $request->headers->get('Authorization');
} elseif (array_key_exists('Authorization', $allHeaders)) {
$authorizationHeader = $allHeaders['Authorization'];
}

// Fall back to getting the token from the request(PATH,GET,BODY).
if (empty($authorizationHeader) || strpos($authorizationHeader, Tokens::HEADER_KEY) === false) {
$rawToken = $request->get(Tokens::HEADER_KEY);
} else {
$rawToken = substr($authorizationHeader, strpos($authorizationHeader, Tokens::HEADER_KEY) + strlen(Tokens::HEADER_KEY) + 1);
}

// If it's still empty, then no token == no access.
if (empty($rawToken)) {
throw new UnauthorizedHttpException(
Tokens::HEADER_KEY,
Expand Down

0 comments on commit 22941db

Please sign in to comment.