'Authorization' is not included in the $request->headers by default, so this module does not work by default either...

[zzdjk6]

I was trying to validate the token after create it, but this module always told me that my token is not valid.

After some debug, I found that this module get the HTTP header information by calling $request->getHeader('Authorization');, but in fact, Authorization is not in there by default.

To prove this, we can just compare the headers information in index.php, by writing:

die(json_encode([
    'getallheaders()'        => getallheaders(),
    '$request->getHeaders()' => $request->getHeaders()
]));

And I got:

{
    "getallheaders()": {
        "Origin": "null",
        "cache-control": "no-cache",
        "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IkVtSUNOTFhBdG9TaTViNTAxYTc4M2NjZjc3LjUzNjYyMjA4In0.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6MTAxMTFcL3B1YmxpY1wvIiwiYXVkIjoibnVsbCIsImp0aSI6IkVtSUNOTFhBdG9TaTViNTAxYTc4M2NjZjc3LjUzNjYyMjA4IiwiaWF0IjoxNTMxOTc2MzEyLCJuYmYiOjE1MzE5NzYzMTIsImV4cCI6MTUzMTk3OTkxMiwidWlkIjoxfQ.zG41nIMO32NwTgJRayB33AOpwvxdqqRVrpCh7U6gMvQ",
        "User-Agent": "PostmanRuntime/7.1.1",
        "Accept": "*/*",
        "Host": "localhost:10111",
        "cookie": "PHPSESSID=68e3dd55fca8f1960c8a4ba18f1749f2",
        "accept-encoding": "gzip, deflate",
        "content-type": "multipart/form-data; boundary=--------------------------024306231536688986487523",
        "content-length": "246",
        "Connection": "keep-alive"
    },
    "$request->getHeaders()": {
        "mod-rewrite": "On",
        "origin": "null",
        "cache-control": "no-cache",
        "user-agent": "PostmanRuntime/7.1.1",
        "accept": "*/*",
        "host": "localhost:10111",
        "cookie": "PHPSESSID=68e3dd55fca8f1960c8a4ba18f1749f2",
        "accept-encoding": "gzip, deflate",
        "connection": "keep-alive",
        "content-type": "multipart/form-data; boundary=--------------------------024306231536688986487523",
        "content-length": "246"
    }
}

The $request object without Authorization header info is passed all the way down to the place when doing the validation, so that's why it failed by default.

After I made a trick to add the header info to $request manually, it works.

/* @var $request \SilverStripe\Control\HTTPRequest */
$request->addHeader('Authorization', getallheaders()['Authorization'] ?? '');

I am wondering if it is a durable idea to include a HTTP middleware in this module to add the required headers to $request if they are missing? Or maybe this module should use the raw information provided by PHP instead of the $request object while validating?

[zzdjk6]

Found the proper workaround: add SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to the Apache config or .htaccess file.

The reason is that when using Apache with PHP under CGI/FastCGI mode, the Authorization header might be missing by default so that we can not access that via $_SERVER. See: http://php.net/manual/en/features.http-auth.php

The HTTPRequestBuilder class will include these headers properly if they are passed from Apache server correctly.

[ec8or]

Related if you're running PHP in CGI mode you may need to include this in your .htaccess:

    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

[Firesphere]

Apologies for not responding, but indeed this is a known (to me, that is) issue, I should add it to the readme. Added issue #16

[zzdjk6]

Thank you both @ec8or @Firesphere

I was living in a Nginx-only world for such a long time, so Apache is the new adventure to me ;)