Closed
Description
Expected and Actual Behavior
I would like to see correct Authorization Headers in case of use such types of authorization:
- Basic
- Digest
- Bearer
Minimal script to reproduce the issue:
Setup
$di = new Phalcon\Di();
$di->set('filter', function () {
return new Phalcon\Filter();
});
$request = new Phalcon\Http\Request();
$request->setDI($di);Test 1
$_SERVER = [
'PHP_AUTH_USER' => 'phalcon',
'PHP_AUTH_PW' => 'secret',
];
print_r($request->getHeaders());
Actual
Array
(
)
Expected
Array
(
[Php-Auth-User] => phalcon
[Php-Auth-Pw] => secret
[Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
)
Test 2
$_SERVER = [
'HTTP_AUTHORIZATION' => 'Basic cGhhbGNvbjpzZWNyZXQ=',
];
print_r($request->getHeaders());
Actual
Array
(
[Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
)
Expected
Array
(
[Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
[Php-Auth-Pw] => secret
[Php-Auth-User] => phalcon
)
Test 3
$auth = [
'username="admin"',
'realm="The batcave"',
'nonce=49938e61ccaa4',
'uri="/"',
'response="98ccab4542f284c00a79b5957baaff23"',
'opaque="d8ea7aa61a1693024c4cc3a516f49b3c"',
'qop=auth',
'nc=00000001',
'cnonce="8d1b34edb475994b"'
];
$_SERVER = [
'REDIRECT_HTTP_AUTHORIZATION' => 'Digest ' . implode(', ', $auth),
];
print_r($request->getHeaders());Actual
Array
(
)
Expected
Array
(
[Php-Auth-Digest] => Digest username="admin", realm="The batcave", nonce=49938e61ccaa4, uri="/", response="98ccab4542f284c00a79b5957baaff23", opaque="d8ea7aa61a1693024c4cc3a516f49b3c", qop=auth, nc=00000001, cnonce="8d1b34edb475994b"
[Authorization] => Digest username="admin", realm="The batcave", nonce=49938e61ccaa4, uri="/", response="98ccab4542f284c00a79b5957baaff23", opaque="d8ea7aa61a1693024c4cc3a516f49b3c", qop=auth, nc=00000001, cnonce="8d1b34edb475994b"
)
Test 4
$accessToken = 'some-secret-token-here';
$_SERVER = [
'HTTP_AUTHORIZATION' => "Bearer {$accessToken}",
];
print_r($request->getHeaders());
Actual
Array
(
)
Expected
Array
(
[Authorization] => Bearer some-secret-token-here
)
And yes, as described in RFC 7230 - "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", Section 3.2, "Header Fields":
Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.
we can safely return either Php-Auth-User, or PHP-AUTH-USER, or php-auth-user.
Details
- Phalcon version: 3.0.2
- PHP Version: 7.0.13
- Operating System: Ubuntu 14.04.5 LTS
- Installation type: Compiling from source
- Zephir version (if any): 0.9.5a-dev
- Server: Nginx | Apache