Support multiple authorization header for REST API

Fixes #25362
mantisbt · Aug 3, 2019 · 8e84c92 · 8e84c92
1 parent f48812c
commit 8e84c92
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/api/rest/restcore/AuthMiddleware.php b/api/rest/restcore/AuthMiddleware.php
@@ -51,14 +51,29 @@ public function __invoke( \Slim\Http\Request $request, \Slim\Http\Response $resp
 			}
 		} else {
 			# TODO: add an index on the token hash for the method below
-			$t_user_id = api_token_get_user( $t_authorization_header );
+
+			# Manage multiple authorization header (ex: Basic + token)
+			$t_authorization_headers = explode(', ', $t_authorization_header);
+			$t_user_id = false;
+			$t_api_token  = '';
+
+			# Search for the token among the different authorization headers. 
+			foreach( $t_authorization_headers as $value ) {
+				$t_user_id = api_token_get_user( $value );
+				if( $t_user_id !== false ) {
+					# Valid token found
+					$t_api_token = $value;
+					break;
+				}
+			}
+
 			if( $t_user_id === false ) {
 				return $response->withStatus( HTTP_STATUS_FORBIDDEN, 'API token not found' );
 			}
 
 			# use api token
 			$t_login_method = LOGIN_METHOD_API_TOKEN;
-			$t_password = $t_authorization_header;
+			$t_password = $t_api_token;
 			$t_username = user_get_username( $t_user_id );
 		}