Update HeaderExtractor to enable REDIRECT_HTTP_AUTHORIZATION #13
Conversation
Using $_SERVER directly fails Code Climate test
|
can't fix codeclimate complaining about static access :( |
|
Don't worry too much about the static access errors, I happily ignore those ;) |
| @@ -14,6 +15,13 @@ class HeaderExtractor | |||
| public static function getAuthorizationHeader(HTTPRequest $request) | |||
| { | |||
| $authHeader = $request->getHeader('Authorization'); | |||
| if (!$authHeader) { | |||
| $envVars = Environment::getVariables(); | |||
| if (isset($envVars['_SERVER']['REDIRECT_HTTP_AUTHORIZATION'])) { | |||
There was a problem hiding this comment.
I believe this should be an .htaccess setting, which should forward the HTTP authorisation. Not something inside the scope of this module?
There was a problem hiding this comment.
A bit late, but on second thought, I do see value in this, but I'd rather not reed directly from a header, could you update this to use filter_input?
There was a problem hiding this comment.
I suppose I could, shouldn’t be hard. But it’s been a while and I don’t have that setup anymore where this was an issue, so can’t actually test it now. Try to find a moment to set something up...
|
Took me quite a while to figure out what was going on the last time, because it just doesn’t work, without any errors... and it’s a nice and easy fix 🙂 Also SilverStripe core BasicAuth has taken this same approach, so I think it would be consistent... And also, but that could be a personal issue, I couldn’t get the htaccess solution working, nor did porting it to lighttpd work... |
|
Any status update on this? I still think an .htaccess change is the way to go.... |
This works, but it does probably bypass CORS allow-headers settings for Authorization. So probably they should be validated in some way as well, do you think?