[BUGFIX] Skip bearer auth flow when Authorization header is absent

uluzox · uluzox · commit 2c0df5b40735 · 2026-05-13T09:47:09.000+02:00
authenticateBearerToken() destructures the scheme and token from the
Authorization header. The previous guard returned early only when a
scheme was present but did not equal "bearer". For requests without
an Authorization header (or with an unparseable header that yields no
scheme), $scheme is null, the guard did not trigger, and the function
fell through to TokenRepository::findBackendUserIdByToken(null) which
raised a TypeError because the argument is typed as string.

Invert the guard so it also early-returns when the scheme is not a
string. Smallest possible change: keeps the same single-statement
structure and the same is_string() helper that was already used.
diff --git a/Classes/Authentication/HttpBackendUserAuthentication.php b/Classes/Authentication/HttpBackendUserAuthentication.php
@@ -115,7 +115,7 @@ protected function authenticateBearerToken(ServerRequestInterface $request): voi
 
         [$scheme, $token] = GeneralUtility::trimExplode(' ', $authorizationHeader, true);
 
-        if (is_string($scheme) && strtolower($scheme) !== 'bearer') {
+        if (!is_string($scheme) || strtolower($scheme) !== 'bearer') {
             return;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ protected function authenticateBearerToken(ServerRequestInterface $request): voi`
`115`	`115`
`116`	`116`	`[$scheme, $token] = GeneralUtility::trimExplode(' ', $authorizationHeader, true);`
`117`	`117`
`118`		`- if (is_string($scheme) && strtolower($scheme) !== 'bearer') {`
	`118`	`+ if (!is_string($scheme) \|\| strtolower($scheme) !== 'bearer') {`
`119`	`119`	`return;`
`120`	`120`	`}`
`121`	`121`