Authorization not in header #1616

Closed
bmutinda opened this Issue Nov 25, 2015 · 9 comments

Comments

Projects
None yet
6 participants
@bmutinda

Hey guys,
With Slim2 I was able to get the value supplied in the Authorization in the headers but with Slim3 i can't get it.
I can get other header parameters though.
This is what I have tried

$request->getHeader("Authorization")

Is there any other way to access this?

@geggleto

This comment has been minimized.

Show comment
Hide comment
@geggleto

geggleto Nov 25, 2015

Contributor

That is how you read a header field.

Contributor

geggleto commented Nov 25, 2015

That is how you read a header field.

@tuupola

This comment has been minimized.

Show comment
Hide comment
@tuupola

tuupola Nov 25, 2015

Contributor

Call to $request->getHeader("Authorization") works fine. However if you are using Apache and send something else than valid Authorization: Basic header PHP won't have access to it unless you add the following to your .htaccess file.

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Contributor

tuupola commented Nov 25, 2015

Call to $request->getHeader("Authorization") works fine. However if you are using Apache and send something else than valid Authorization: Basic header PHP won't have access to it unless you add the following to your .htaccess file.

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

@bmutinda

This comment has been minimized.

Show comment
Hide comment
@bmutinda

bmutinda Nov 25, 2015

@tuupola Thanks it works. I am using apache. Does this also fix if am using nginx?
For apache server, this is how I had hacked it 🎯

$headers = apache_request_headers();
$headers["Authorization"];

@tuupola Thanks it works. I am using apache. Does this also fix if am using nginx?
For apache server, this is how I had hacked it 🎯

$headers = apache_request_headers();
$headers["Authorization"];

@akrabat akrabat added the Slim 3 label Nov 28, 2015

@akrabat

This comment has been minimized.

Show comment
Hide comment
@akrabat

akrabat Nov 28, 2015

Member

@bmutinda The missing Authorization header appears to be an Apache only thing.

Member

akrabat commented Nov 28, 2015

@bmutinda The missing Authorization header appears to be an Apache only thing.

@akrabat akrabat closed this Nov 28, 2015

@ienev

This comment has been minimized.

Show comment
Hide comment
@ienev

ienev Feb 11, 2016

On Apache 2.4 (before 2.4.13) with PHP-FPM this rewrite would work

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

but it will result in a REDIRECT_HTTP_AUTHORIZATION header which is still not accessible by

$request->getHeader("Authorization")

Apache 2.4.13 introduced a CGIPassAuth directive that would allow passing the Authorization header to the script although I haven't tested this myself.

For now the only workarounds are to either access $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] or use a custom header name.

ienev commented Feb 11, 2016

On Apache 2.4 (before 2.4.13) with PHP-FPM this rewrite would work

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

but it will result in a REDIRECT_HTTP_AUTHORIZATION header which is still not accessible by

$request->getHeader("Authorization")

Apache 2.4.13 introduced a CGIPassAuth directive that would allow passing the Authorization header to the script although I haven't tested this myself.

For now the only workarounds are to either access $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] or use a custom header name.

@tuupola

This comment has been minimized.

Show comment
Hide comment
@tuupola

tuupola Feb 11, 2016

Contributor

Just FYI, #898 was Slim 2 pull request regarding this. Did not know about CGIPassAuth. Thanks for the tip!

Contributor

tuupola commented Feb 11, 2016

Just FYI, #898 was Slim 2 pull request regarding this. Did not know about CGIPassAuth. Thanks for the tip!

@ienev

This comment has been minimized.

Show comment
Hide comment
@ienev

ienev Feb 11, 2016

Thanks I was only searching for Slim 3. Any chance a similar PR would be accepted for 3?

ienev commented Feb 11, 2016

Thanks I was only searching for Slim 3. Any chance a similar PR would be accepted for 3?

@ianrussel

This comment has been minimized.

Show comment
Hide comment
@ianrussel

ianrussel Dec 22, 2017

@akrabat

I have this issue and cant solve it. I am using nginx and Slim 3 heres my route

`$app->get('/api/private/offers', function($request, $response, $next){

//$headers = apache_request_headers();
$headers = $request->getHeaders();
var_dump($headers);`

})

Here is the output

`array (size=11)
 'HTTP_COOKIE' => 
 array (size=1)
  0 => string 'PHPSESSID=p8r0lrt3ujkj24jac72hnh1fqs' (length=36)
 'HTTP_ACCEPT_LANGUAGE' => 
  array (size=1)
  0 => string 'en-US,en;q=0.9' (length=14)
  'HTTP_ACCEPT_ENCODING' => 
  array (size=1)
  0 => string 'gzip, deflate' (length=13)
  'HTTP_ACCEPT' => 
  array (size=1)
  0 => string 
  'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' (length=85)
   'HTTP_UPGRADE_INSECURE_REQUESTS' => 
array (size=1)
  0 => string '1' (length=1)
   'HTTP_USER_AGENT' => 
array (size=1)
  0 => string 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36' (length=114)
    'HTTP_CACHE_CONTROL' => 
array (size=1)
  0 => string 'max-age=0' (length=9)
    'HTTP_CONNECTION' => 
array (size=1)
  0 => string 'keep-alive' (length=10)
    'Host' => 
array (size=1)
  0 => string 'offline-report.test' (length=19)
   'CONTENT_LENGTH' => 
array (size=1)
  0 => string '' (length=0)
    'CONTENT_TYPE' => 
array (size=1)
  0 => string '' (length=0)`

Notice that 'Authorization' header is not included

I enabled the CORS as per Slim Docs

`$app->options('/{routes:.+}', function ($request, $response, $args) {
return $response;
});

$app->add(function ($req, $res, $next) {
$response = $next($req, $res);
return $response
->withHeader('Access-Control-Allow-Origin', '*')
->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
});`

Trying

    //$headers = apache_request_headers();

Still same result

But I return it to console, its there, I am so confused.

    return json_encode($request->getHeader('Authorization');

    0 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9VTTFSVEk1TVVaQ01FRkJPVFkxUkVReE5rUXdNelEwT0VFd1FVSTVSVGsxTkVaRU5ESXdRUSJ9.eyJpc3MiOiJodHRwczovL2NoZWF0c2hlZXQuYXV0aDAuY29tLyIsInN1YiI6Imdvb2dsZS1vYXV0aDJ8MTA2ODQ2MTU0MzE1OTcxNTU5NjczI

Do you have in idea for this? I am using NGINX

ianrussel commented Dec 22, 2017

@akrabat

I have this issue and cant solve it. I am using nginx and Slim 3 heres my route

`$app->get('/api/private/offers', function($request, $response, $next){

//$headers = apache_request_headers();
$headers = $request->getHeaders();
var_dump($headers);`

})

Here is the output

`array (size=11)
 'HTTP_COOKIE' => 
 array (size=1)
  0 => string 'PHPSESSID=p8r0lrt3ujkj24jac72hnh1fqs' (length=36)
 'HTTP_ACCEPT_LANGUAGE' => 
  array (size=1)
  0 => string 'en-US,en;q=0.9' (length=14)
  'HTTP_ACCEPT_ENCODING' => 
  array (size=1)
  0 => string 'gzip, deflate' (length=13)
  'HTTP_ACCEPT' => 
  array (size=1)
  0 => string 
  'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' (length=85)
   'HTTP_UPGRADE_INSECURE_REQUESTS' => 
array (size=1)
  0 => string '1' (length=1)
   'HTTP_USER_AGENT' => 
array (size=1)
  0 => string 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36' (length=114)
    'HTTP_CACHE_CONTROL' => 
array (size=1)
  0 => string 'max-age=0' (length=9)
    'HTTP_CONNECTION' => 
array (size=1)
  0 => string 'keep-alive' (length=10)
    'Host' => 
array (size=1)
  0 => string 'offline-report.test' (length=19)
   'CONTENT_LENGTH' => 
array (size=1)
  0 => string '' (length=0)
    'CONTENT_TYPE' => 
array (size=1)
  0 => string '' (length=0)`

Notice that 'Authorization' header is not included

I enabled the CORS as per Slim Docs

`$app->options('/{routes:.+}', function ($request, $response, $args) {
return $response;
});

$app->add(function ($req, $res, $next) {
$response = $next($req, $res);
return $response
->withHeader('Access-Control-Allow-Origin', '*')
->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
});`

Trying

    //$headers = apache_request_headers();

Still same result

But I return it to console, its there, I am so confused.

    return json_encode($request->getHeader('Authorization');

    0 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9VTTFSVEk1TVVaQ01FRkJPVFkxUkVReE5rUXdNelEwT0VFd1FVSTVSVGsxTkVaRU5ESXdRUSJ9.eyJpc3MiOiJodHRwczovL2NoZWF0c2hlZXQuYXV0aDAuY29tLyIsInN1YiI6Imdvb2dsZS1vYXV0aDJ8MTA2ODQ2MTU0MzE1OTcxNTU5NjczI

Do you have in idea for this? I am using NGINX

@akrabat

This comment has been minimized.

Show comment
Hide comment
@akrabat

akrabat Dec 22, 2017

Member

I've never used nginx. Maybe ask on the forums.

Member

akrabat commented Dec 22, 2017

I've never used nginx. Maybe ask on the forums.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment