From cd669b3ae15406511727ab00d7f41d141d9cf8f8 Mon Sep 17 00:00:00 2001
From: Will Rossiter <will@fullscreen.io>
Date: Tue, 24 Aug 2021 11:50:58 +1200
Subject: [PATCH] Don't access _SERVER globals directly

---
 src/Controllers/ApiController.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/Controllers/ApiController.php b/src/Controllers/ApiController.php
index 7259cce..1338ef0 100644
--- a/src/Controllers/ApiController.php
+++ b/src/Controllers/ApiController.php
@@ -61,6 +61,7 @@ public function init()
             ->addHeader("Content-type", "application/json");
     }
 
+
     public function index()
     {
         return $this->httpError(400, 'Bad Request');
@@ -234,10 +235,10 @@ public function getAuthorizationHeader(): string
     {
         $header = '';
 
-        if (isset($_SERVER['Authorization'])) {
-            $header = trim($_SERVER["Authorization"]);
-        } elseif (isset($_SERVER['HTTP_AUTHORIZATION'])) {
-            $header = trim($_SERVER["HTTP_AUTHORIZATION"]);
+        if ($auth = $this->getRequest()->getHeader('Authorization')) {
+            $header = trim($auth);
+        } elseif ($auth = $this->getRequest()->getHeader('HTTP_AUTHORIZATION')) {
+            $header = trim($auth);
         } elseif (function_exists('apache_request_headers')) {
             $requestHeaders = apache_request_headers();
             $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
@@ -250,6 +251,11 @@ public function getAuthorizationHeader(): string
         return $header;
     }
 
+    /**
+     * Returns the bearer token value from the Authorization Header
+     *
+     * @return string
+     */
     public function getBearerToken(): string
     {
         $headers = $this->getAuthorizationHeader();