1. 99grad Avatar 99grad
  2. typo3
  3. NnHelpers
  4. Issues

getBasicAuth credential get

Issue #6 resolved
Thomas Helmrich created an issue

Hello,

regarding the following:

https://bitbucket.org/99grad/nnhelpers/annotate/298ea72797651312104e28522a4d53ff55fa461a/Classes/Utilities/Request.php?at=master#Request.php-250

The Callback of array_filter is a boolean, so the result of explode won´t get transferred to current & current will return only e.g. REDIRECT_HTTP_AUTHORIZATION.

Result is, that username and password always is empty. Is this a since PHP8 thing?

Comments (12)

  1. Thomas Helmrich reporter

    This could fix it:

    [$username, $password] = ($authKey = current(array_filter($check, function ($key) {
  return (($value = $_SERVER[$key] ?? false) && (strpos(strtolower($value), 'basic') === 0));
}))) ? explode(':', base64_decode(substr($_SERVER[$authKey], 6))) : ['', ''];

  2. David Bascom repo owner

    Shouldn’t array_filter() always return an array?

    Just to make sure, it isn’t an other problem: Did you make sure, these lines are included in your .htaccess? 

    # Enable URL rewriting
RewriteEngine On

# This might be needed?    
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

  3. Thomas Helmrich reporter

    Just to make sure, it isn’t an other problem: Did you make sure, these lines are included in your .htaccess?

    yes, it is in and with my part of code it works.

    Shouldn’t array_filter() always return an array?

    indeed, but just the results of the true/false from Callback.
    My ‘only’ REDIRECT_HTTP_AUTHORIZATION was wrong. it returns ['REDIRECT_HTTP_AUTHORIZATION'] or something like that.

  4. David Bascom repo owner

    Ok – this is interesting. It seems as if the modified code break the authentication in our test-installation.
    Could you post the exact header that you are sending? Maybe you could trace it with Postman or a other network tool. I would like to see, what the script is getting as REDIRECT_HTTP_AUTHORIZATION

  6. Thomas Helmrich reporter

    But i DO NOT try to auth with e.g. fe_user. i try to make a auth with token / api secury key / salt on a differnt table.
    Using the 

    public function checkAccess($endpoint = []): bool

    and $credentials = \nn\t3::Request()->getBasicAuth();

  7. David Bascom repo owner

    I cleaned things up here a little – code was getting confusing 😉
    Could you check, if this works in your environment? 

    // Replace this in \nn\t3::Request()

public function getBasicAuth() {

    $username = '';
    $password = '';

    if (isset($_SERVER['PHP_AUTH_USER'])) {
        $username = $_SERVER['PHP_AUTH_USER'];
        $password = $_SERVER['PHP_AUTH_PW'];
    } else {
        $check = ['HTTP_AUTHENTICATION', 'HTTP_AUTHORIZATION', 'REDIRECT_HTTP_AUTHORIZATION'];
        foreach ($check as $key) {
            $value = $_SERVER[$key] ?? false;
            $isBasic = strpos(strtolower($value), 'basic') === 0;
            if ($value && $isBasic) {
                $decodedValue = base64_decode(substr($value, 6));
                [$username, $password] = explode(':', $decodedValue) ?: ['', ''];
                break;
            }
        }
    }

    if (!$username && !$password) return [];
    return ['username'=>$username, 'password'=>$password];
}

  9. Thomas Helmrich reporter

    (FYI: I deleted your headers above so nobody tries authenticating with your key)

    Thanks! But already anonymized it. But thats almost always a ERROR-40 🙂

  13. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
1