The request object handles auth headers incorrectly #12480

Closed
sergeyklay opened this Issue Dec 17, 2016 · 1 comment

Projects

None yet

1 participant

@sergeyklay
Collaborator
sergeyklay commented Dec 17, 2016 edited

Expected and Actual Behavior

I would like to see correct Authorization Headers in case of use such types of authorization:

  • Basic
  • Digest
  • Bearer

Minimal script to reproduce the issue:

Setup

$di = new Phalcon\Di();

$di->set('filter', function () {
    return new Phalcon\Filter();
});

$request = new Phalcon\Http\Request();
$request->setDI($di);

Test 1

$_SERVER = [
    'PHP_AUTH_USER' => 'phalcon',
    'PHP_AUTH_PW'   => 'secret',
];

print_r($request->getHeaders());

Actual

Array
(
)

Expected

Array
(
    [Php-Auth-User] => phalcon
    [Php-Auth-Pw] => secret
    [Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
)

Test 2

$_SERVER = [
    'HTTP_AUTHORIZATION' => 'Basic cGhhbGNvbjpzZWNyZXQ=',
];

print_r($request->getHeaders());

Actual

Array
(
    [Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
)

Expected

Array
(
    [Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
    [Php-Auth-Pw] => secret
    [Php-Auth-User] => phalcon
)

Test 3

$auth = [
    'username="admin"',
    'realm="The batcave"',
    'nonce=49938e61ccaa4',
    'uri="/"',
    'response="98ccab4542f284c00a79b5957baaff23"',
    'opaque="d8ea7aa61a1693024c4cc3a516f49b3c"',
    'qop=auth',
    'nc=00000001',
    'cnonce="8d1b34edb475994b"'
];

$_SERVER = [
    'REDIRECT_HTTP_AUTHORIZATION' => 'Digest ' . implode(', ', $auth),
];

print_r($request->getHeaders());

Actual

Array
(
)

Expected

Array
(
    [Php-Auth-Digest] => Digest username="admin", realm="The batcave", nonce=49938e61ccaa4, uri="/", response="98ccab4542f284c00a79b5957baaff23", opaque="d8ea7aa61a1693024c4cc3a516f49b3c", qop=auth, nc=00000001, cnonce="8d1b34edb475994b"
    [Authorization] => Digest username="admin", realm="The batcave", nonce=49938e61ccaa4, uri="/", response="98ccab4542f284c00a79b5957baaff23", opaque="d8ea7aa61a1693024c4cc3a516f49b3c", qop=auth, nc=00000001, cnonce="8d1b34edb475994b"
)

Test 4

$accessToken = 'some-secret-token-here';

$_SERVER = [
    'HTTP_AUTHORIZATION' => "Bearer {$accessToken}",
];

print_r($request->getHeaders());

Actual

Array
(
)

Expected

Array
(
    [Authorization] => Bearer some-secret-token-here
)

And yes, as described in RFC 7230 - "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", Section 3.2, "Header Fields":

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

we can safely return either Php-Auth-User, or PHP-AUTH-USER, or php-auth-user.

Details

  • Phalcon version: 3.0.2
  • PHP Version: 7.0.13
  • Operating System: Ubuntu 14.04.5 LTS
  • Installation type: Compiling from source
  • Zephir version (if any): 0.9.5a-dev
  • Server: Nginx | Apache
@sergeyklay sergeyklay added this to the 3.0.3 milestone Dec 17, 2016
@sergeyklay sergeyklay self-assigned this Dec 17, 2016
@sergeyklay
Collaborator

Fixed in the 3.0.x branch.

@sergeyklay sergeyklay closed this Dec 17, 2016
@sergeyklay sergeyklay assigned sergeyklay and unassigned sergeyklay Dec 24, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment