Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The request object handles auth headers incorrectly #12480

Closed
sergeyklay opened this issue Dec 17, 2016 · 4 comments
Closed

The request object handles auth headers incorrectly #12480

sergeyklay opened this issue Dec 17, 2016 · 4 comments
Assignees
@sergeyklay
Labels
bug A bug report status: medium Medium
Milestone
3.0.3

Comments

@sergeyklay
Copy link
Contributor

sergeyklay commented Dec 17, 2016
edited
Loading

Expected and Actual Behavior

I would like to see correct Authorization Headers in case of use such types of authorization:

  • Basic
  • Digest
  • Bearer

Minimal script to reproduce the issue:

Setup

$di = new Phalcon\Di();

$di->set('filter', function () {
    return new Phalcon\Filter();
});

$request = new Phalcon\Http\Request();
$request->setDI($di);

Test 1

$_SERVER = [
    'PHP_AUTH_USER' => 'phalcon',
    'PHP_AUTH_PW'   => 'secret',
];

print_r($request->getHeaders());

Actual

Array
(
)

Expected

Array
(
    [Php-Auth-User] => phalcon
    [Php-Auth-Pw] => secret
    [Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
)

Test 2

$_SERVER = [
    'HTTP_AUTHORIZATION' => 'Basic cGhhbGNvbjpzZWNyZXQ=',
];

print_r($request->getHeaders());

Actual

Array
(
    [Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
)

Expected

Array
(
    [Authorization] => Basic cGhhbGNvbjpzZWNyZXQ=
    [Php-Auth-Pw] => secret
    [Php-Auth-User] => phalcon
)

Test 3

$auth = [
    'username="admin"',
    'realm="The batcave"',
    'nonce=49938e61ccaa4',
    'uri="/"',
    'response="98ccab4542f284c00a79b5957baaff23"',
    'opaque="d8ea7aa61a1693024c4cc3a516f49b3c"',
    'qop=auth',
    'nc=00000001',
    'cnonce="8d1b34edb475994b"'
];

$_SERVER = [
    'REDIRECT_HTTP_AUTHORIZATION' => 'Digest ' . implode(', ', $auth),
];

print_r($request->getHeaders());

Actual

Array
(
)

Expected

Array
(
    [Php-Auth-Digest] => Digest username="admin", realm="The batcave", nonce=49938e61ccaa4, uri="/", response="98ccab4542f284c00a79b5957baaff23", opaque="d8ea7aa61a1693024c4cc3a516f49b3c", qop=auth, nc=00000001, cnonce="8d1b34edb475994b"
    [Authorization] => Digest username="admin", realm="The batcave", nonce=49938e61ccaa4, uri="/", response="98ccab4542f284c00a79b5957baaff23", opaque="d8ea7aa61a1693024c4cc3a516f49b3c", qop=auth, nc=00000001, cnonce="8d1b34edb475994b"
)

Test 4

$accessToken = 'some-secret-token-here';

$_SERVER = [
    'HTTP_AUTHORIZATION' => "Bearer {$accessToken}",
];

print_r($request->getHeaders());

Actual

Array
(
)

Expected

Array
(
    [Authorization] => Bearer some-secret-token-here
)

And yes, as described in RFC 7230 - "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", Section 3.2, "Header Fields":

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

we can safely return either Php-Auth-User, or PHP-AUTH-USER, or php-auth-user.

Details

  • Phalcon version: 3.0.2
  • PHP Version: 7.0.13
  • Operating System: Ubuntu 14.04.5 LTS
  • Installation type: Compiling from source
  • Zephir version (if any): 0.9.5a-dev
  • Server: Nginx | Apache
@sergeyklay sergeyklay added this to the 3.0.3 milestone Dec 17, 2016
@sergeyklay sergeyklay self-assigned this Dec 17, 2016
@sergeyklay sergeyklay mentioned this issue Dec 17, 2016
Merged
3 tasks
@sergeyklay
Copy link
Contributor Author

Fixed in the 3.0.x branch.

@sergeyklay sergeyklay mentioned this issue Dec 18, 2016
Closed
@sergeyklay sergeyklay assigned sergeyklay and unassigned sergeyklay Dec 24, 2016
@quickshiftin
Copy link

quickshiftin commented May 18, 2018
edited
Loading

I'm still encountering this issue in 3.3.1. Essentially $phalconRequest->getAllHeaders() is getallheaders() minus the Authorization header.

@sergeyklay
Copy link
Contributor Author

@quickshiftin Did you see tests at tests/unit/Http/Request/AuthHeaderTest.php

@quickshiftin
Copy link

@sergeyklay I'm looking at it now, and your patch from 3.0.x. It looks like Phalcon does some introspection of the Authorization header's value, and I suspect that's where it's breaking down in my case.

I'm using JWT, so my Authorization headers look like

Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE1MzAxMDY3MjQsImlzcyI6InNlbGxlcnZ1ZS1qd3QtYXV0aCIsImlkIjo0LCJsb2dpbiI6InF1aWNrc2hpZnRpbkBnbWFpbC5jb20iLCJpYXQiOjE1MzAwMjAzMjQsInVzZXIiOnsiaWQiOjQsImxvZ2luIjoicXVpY2tzaGlmdGluQGdtYWlsLmNvbSIsImZpcnN0X25hbWUiOiJOYXRlIiwibGFzdF9uYW1lIjoiTm9iYmUiLCJwYXNzd29yZCI6IjE5NzY4MTA5YzIyNzVlMTg4NTYyNWMzNWMzZTNiNDNiZTk2ZTYzMmI3OWQ4OThjYjU1ZjJkM2VkMTQ1YzQyMDYiLCJ0bXBfcGFzcyI6bnVsbCwiaXNfYWN0aXZlIjp0cnVlLCJpc19hZG1pbiI6dHJ1ZSwidG1wX3Bhc3NfZXhwIjpudWxsLCJhd3NfYWNjZXNzX2tleSI6IiIsImF3c19zZWNyZXRfa2V5IjoiIiwiYXBwX25hbWUiOiIiLCJtZXJjaGFudF9pZCI6IiIsImFwaV9tYXJrZXRwbGFjZV9pZCI6Mn19.gxeBcYXfarytnysL2hFB76UWKbfy0d3G-cy1H6bqBtajiHHN__gGR1ZyofLtlW7MWHo5Wt_nanIJ_96-ZxLkZiPoiPc6bFPIAhDvFszmbN8lv-LKp-V4IANrh4v-DqEN0x9J23DftlMhm5Y9F4ablPTdHpN9LB-LyIJQi-2LFZMDMeaLQStIIKIJkOoO9vzSXx3my5T-qz8xPTfWRC25tuL8xsbj_J-GthXIwn-9xYfFVE_ahXCc3nisxi6XVY3dLZ045OttpL8dn0Lu_M0Bwq6wuY73hFZgxOk_HNwjrCIB4WlwGqg9qOhr-Oe70hMR5suS_h8Oep16LQBufTZ230-r9p4uEjpfhfwH01BzSKyxVYyGx-EQNuu9cqIfVWNfMpNc53lPhtVOKIg-2MbBkJgyLSSqqINUmq8lhW2GvHCeHpR_hDOgpH3fjXFWCuJtxY207_xkLR5qxWAY6fGZeVJFiUyU7b-JLq1R4H1Vai4scEyKqLub6Z_GRnizEjIQi0eoqoMPat3vhSiGd2zMyT3b54xgdBiPfpPErHeO3ee9b6nTvQ_9I_5oOcif7SGM2BiNyTq64Or3V3Yhdr8sEQVwafi4kxJD7eghSLWxy-3WAOvND4Q8R555cHZZvYnwiQePsFNub_04KNwq_Ve2oEPWeI4QiPH8aXdiObjP1ow

I see some logic in there to handle bearer, but it's not working. Maybe if I find time one of these days I'll run the unit tests against my headers and figure out what's wrong.

@niden niden added bug A bug report status: medium Medium and removed Bug - Medium labels Dec 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sergeyklay sergeyklay

Labels
bug A bug report status: medium Medium
Projects
None yet
Milestone
3.0.3
Development

No branches or pull requests
3 participants
@quickshiftin @niden @sergeyklay