From 8e84c922cea6a142d1a28210539a51fcc8c7ec20 Mon Sep 17 00:00:00 2001
From: l2m83 <lance2m83@gmail.com>
Date: Sat, 3 Aug 2019 14:28:53 -0700
Subject: [PATCH] Support multiple authorization header for REST API

Fixes #25362
---
 api/rest/restcore/AuthMiddleware.php | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/api/rest/restcore/AuthMiddleware.php b/api/rest/restcore/AuthMiddleware.php
index 0d413a65bf..d1420af1c6 100644
--- a/api/rest/restcore/AuthMiddleware.php
+++ b/api/rest/restcore/AuthMiddleware.php
@@ -51,14 +51,29 @@ public function __invoke( \Slim\Http\Request $request, \Slim\Http\Response $resp
 			}
 		} else {
 			# TODO: add an index on the token hash for the method below
-			$t_user_id = api_token_get_user( $t_authorization_header );
+
+			# Manage multiple authorization header (ex: Basic + token)
+			$t_authorization_headers = explode(', ', $t_authorization_header);
+			$t_user_id = false;
+			$t_api_token  = '';
+
+			# Search for the token among the different authorization headers. 
+			foreach( $t_authorization_headers as $value ) {
+				$t_user_id = api_token_get_user( $value );
+				if( $t_user_id !== false ) {
+					# Valid token found
+					$t_api_token = $value;
+					break;
+				}
+			}
+
 			if( $t_user_id === false ) {
 				return $response->withStatus( HTTP_STATUS_FORBIDDEN, 'API token not found' );
 			}
 
 			# use api token
 			$t_login_method = LOGIN_METHOD_API_TOKEN;
-			$t_password = $t_authorization_header;
+			$t_password = $t_api_token;
 			$t_username = user_get_username( $t_user_id );
 		}