]> git.immae.eu Git - github/shaarli/Shaarli.git/commitdiff
httpd: always forward the 'Authorization' header
authorVirtualTam <virtualtam@flibidi.net>
Thu, 22 Mar 2018 21:23:41 +0000 (22:23 +0100)
committerVirtualTam <virtualtam@flibidi.net>
Sun, 25 Mar 2018 17:41:44 +0000 (19:41 +0200)
On some Apache HTTPD setups where the CGI/FastCGI mode is used, the HTTP header
containing the JWT token is not forwarded, which results in the following error
when attempting to use the REST API:

  "401 Not authorized: JWT token not provided"

This patch allows forwarding the 'Authorization' header. An alternative would
be to use the `CGIPassAuth` directive to allow all authorization headers to be
forwarded.

See:
- https://secure.php.net/manual/en/features.http-auth.php#114877
- https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request
- https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame
- https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers
- https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
.htaccess

index 19dd72a805e7b3bd170c87aabb25ad4764ca179a..7ba4744b262af9c1ca97f617c4bb60d9510808e9 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -6,6 +6,10 @@ RewriteEngine On
 # Prevent accessing subdirectories not managed by SCM
 RewriteRule ^(.git|doxygen|vendor) - [F]
 
+# Forward the "Authorization" HTTP header
+RewriteCond %{HTTP:Authorization} ^(.*)
+RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
+
 # REST API
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d