Add Apache fallback for Authorization header

Even when Apache is not putting the correct header in the PHP $_SERVER variable, it may still be retrieved using apache_request_headers. Yes, this is terribly inconsistent. If there are still problems after this, the server needs to be configured to set the HTTP_AUTHORIZATION value within $_SERVER.
Zegnat · May 8, 2018 · 41bbee4 · 41bbee4
1 parent 4a80817
commit 41bbee4
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/endpoint.php b/endpoint.php
@@ -182,6 +182,12 @@ function invalidRequest(): void
 $method = filter_input(INPUT_SERVER, 'REQUEST_METHOD', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '@^[!#$%&\'*+.^_`|~0-9a-z-]+$@i']]);
 if ($method === 'GET') {
     $authorization = filter_input(INPUT_SERVER, 'HTTP_AUTHORIZATION', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '@^Bearer [0-9a-z]+$@']]);
+    if ($authorization === null && function_exists('apache_request_headers')) {
+        $headers = array_change_key_case(apache_request_headers(), CASE_LOWER);
+        if (isset($headers['authorization'])) {
+            $authorization = filter_var($headers['authorization'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '@^Bearer [0-9a-z]+$@']]);
+        }
+    }
     if ($authorization === null) {
         header('HTTP/1.1 401 Unauthorized');
         header('WWW-Authenticate: Bearer');