Skip to content

Stripped Authorization header in Apache since v2.4.13 runs in trouble with this package #9

@2case

Description

@2case
Contributor

We run in some trouble while Apache strip the Authorization header since version 2.4.13. You have to add

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

to your .htaccess to enable it.

Activity

2case

2case commented on Feb 25, 2022

@2case
ContributorAuthor

No, since that only triggert on Basic authentication and not on Bearer authentication. Also the destination $_SERVER key is different (HTTP_ vs REMOTE_ not sure if the flow/neos subsystem triggers on that)

kitsunet

kitsunet commented on Jul 26, 2022

@kitsunet
Member

In general I found that the current code for the token from headers is really brittle, it needs to account for Authentication headers being an arry, for Basic authentication AND it has no way to know if the Bearer token was actually meant for it. IMHO there should be a way to identify the token to make sure it was actually meant to be a token auth token? Maybe that is fine though as the repo will just return null and we can then ignore the result...

kdambekalns

kdambekalns commented on Nov 10, 2022

@kdambekalns
Member

I can't tell much about this, as I have mot been using Apache HTTPD for ages now.

But I would think this is rather an issue with the Apache setup, and as such this package does not need to be changed – except maybe mentioning possible problems in the README?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @2case@kdambekalns@bwaidelich@kitsunet

        Issue actions

          Stripped Authorization header in Apache since v2.4.13 runs in trouble with this package · Issue #9 · flownative/flow-token-auth