From 3639c87ff91d6c3f404ca94862ac53c5d26bb172 Mon Sep 17 00:00:00 2001
From: l2m83 <lance2m83@gmail.com>
Date: Tue, 16 Jul 2019 17:31:12 +0200
Subject: [PATCH 1/2] Bug correction for 0025362

manages multiple autorization header for REST API
---
 api/rest/restcore/AuthMiddleware.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/api/rest/restcore/AuthMiddleware.php b/api/rest/restcore/AuthMiddleware.php
index 0d413a65bf..88a2d142d4 100644
--- a/api/rest/restcore/AuthMiddleware.php
+++ b/api/rest/restcore/AuthMiddleware.php
@@ -51,14 +51,27 @@ public function __invoke( \Slim\Http\Request $request, \Slim\Http\Response $resp
 			}
 		} else {
 			# TODO: add an index on the token hash for the method below
-			$t_user_id = api_token_get_user( $t_authorization_header );
+
+			# Manage multiple authorization header (ex: Basic + token)
+			$authStringArray = explode(', ', $t_authorization_header);
+			$t_user_id = "";
+			$real_auth_header = "";
+			#Search for the token among the different authStrings 
+			foreach ($authStringArray as $value) {
+	                        $t_user_id = api_token_get_user( $value );
+				if( $t_user_id !== false ) {
+					#Valid token found
+					$real_auth_header = $value;
+					break;
+				}
+			}
 			if( $t_user_id === false ) {
 				return $response->withStatus( HTTP_STATUS_FORBIDDEN, 'API token not found' );
 			}
 
 			# use api token
 			$t_login_method = LOGIN_METHOD_API_TOKEN;
-			$t_password = $t_authorization_header;
+			$t_password = $real_auth_header;
 			$t_username = user_get_username( $t_user_id );
 		}
 

From 069a011a4e37c5a5e30ad03187750903df0b3c7b Mon Sep 17 00:00:00 2001
From: l2m83 <lance2m83@gmail.com>
Date: Thu, 25 Jul 2019 11:58:36 +0200
Subject: [PATCH 2/2] Update due to code review on pull request

---
 api/rest/restcore/AuthMiddleware.php | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/api/rest/restcore/AuthMiddleware.php b/api/rest/restcore/AuthMiddleware.php
index 88a2d142d4..5e24c01fb7 100644
--- a/api/rest/restcore/AuthMiddleware.php
+++ b/api/rest/restcore/AuthMiddleware.php
@@ -53,25 +53,26 @@ public function __invoke( \Slim\Http\Request $request, \Slim\Http\Response $resp
 			# TODO: add an index on the token hash for the method below
 
 			# Manage multiple authorization header (ex: Basic + token)
-			$authStringArray = explode(', ', $t_authorization_header);
-			$t_user_id = "";
-			$real_auth_header = "";
-			#Search for the token among the different authStrings 
-			foreach ($authStringArray as $value) {
-	                        $t_user_id = api_token_get_user( $value );
+			$t_authorization_headers = explode(', ', $t_authorization_header);
+			$t_user_id = false;
+			$t_api_token  = '';
+			# Search for the token among the different authorization headers. 
+			foreach ($t_authorization_headers as $value) {
+	            $t_user_id = api_token_get_user( $value );
 				if( $t_user_id !== false ) {
-					#Valid token found
-					$real_auth_header = $value;
+					# Valid token found
+					$t_api_token = $value;
 					break;
 				}
 			}
+			
 			if( $t_user_id === false ) {
 				return $response->withStatus( HTTP_STATUS_FORBIDDEN, 'API token not found' );
 			}
 
 			# use api token
 			$t_login_method = LOGIN_METHOD_API_TOKEN;
-			$t_password = $real_auth_header;
+			$t_password = $t_api_token;
 			$t_username = user_get_username( $t_user_id );
 		}