diff --git a/.htaccess b/.htaccess index af2dc5a7..25fcfb03 100644 --- a/.htaccess +++ b/.htaccess @@ -10,8 +10,12 @@ RewriteRule ^(.git|doxygen|vendor) - [F] # fixes JWT token not correctly forwarded on some Apache/FastCGI setups RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] +# Alternative (if the 2 lines above don't work) +# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 # REST API +# Ionos Hosting needs RewriteBase / +# RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ index.php [QSA,L] diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php index 09ce6445..f5b53b01 100644 --- a/application/api/ApiMiddleware.php +++ b/application/api/ApiMiddleware.php @@ -107,7 +107,9 @@ protected function checkRequest($request) */ protected function checkToken($request) { - if (! $request->hasHeader('Authorization')) { + if (!$request->hasHeader('Authorization') + && !isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION']) + ) { throw new ApiAuthorizationException('JWT token not provided'); } @@ -115,7 +117,11 @@ protected function checkToken($request) throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration'); } - $authorization = $request->getHeaderLine('Authorization'); + if (isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])) { + $authorization = $this->container->environment['REDIRECT_HTTP_AUTHORIZATION']; + } else { + $authorization = $request->getHeaderLine('Authorization'); + } if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) { throw new ApiAuthorizationException('Invalid JWT header'); diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php index b157e4a7..32031750 100644 --- a/tests/api/ApiMiddlewareTest.php +++ b/tests/api/ApiMiddlewareTest.php @@ -66,6 +66,53 @@ protected function tearDown(): void @unlink(self::$testDatastore); } + /** + * Invoke the middleware with a valid token + */ + public function testInvokeMiddlewareWithValidToken(): void + { + $next = function (Request $request, Response $response): Response { + return $response; + }; + $mw = new ApiMiddleware($this->container); + $env = Environment::mock([ + 'REQUEST_METHOD' => 'GET', + 'REQUEST_URI' => '/echo', + 'HTTP_AUTHORIZATION'=> 'Bearer ' . ApiUtilsTest::generateValidJwtToken('NapoleonWasALizard'), + ]); + $request = Request::createFromEnvironment($env); + $response = new Response(); + /** @var Response $response */ + $response = $mw($request, $response, $next); + + $this->assertEquals(200, $response->getStatusCode()); + } + + /** + * Invoke the middleware with a valid token + * Using specific Apache CGI redirected authorization. + */ + public function testInvokeMiddlewareWithValidTokenFromRedirectedHeader(): void + { + $next = function (Request $request, Response $response): Response { + return $response; + }; + + $token = 'Bearer ' . ApiUtilsTest::generateValidJwtToken('NapoleonWasALizard'); + $this->container->environment['REDIRECT_HTTP_AUTHORIZATION'] = $token; + $mw = new ApiMiddleware($this->container); + $env = Environment::mock([ + 'REQUEST_METHOD' => 'GET', + 'REQUEST_URI' => '/echo', + ]); + $request = Request::createFromEnvironment($env); + $response = new Response(); + /** @var Response $response */ + $response = $mw($request, $response, $next); + + $this->assertEquals(200, $response->getStatusCode()); + } + /** * Invoke the middleware with the API disabled: * should return a 401 error Unauthorized.