Bug #44684
Authorization header redirect in .htaccess strips the Basic-prefix
| Status: | New | Start date: | 2013-01-21 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Affected Flow version: | (any) |
Description
The .htaccess file in the web folder contains this command:
SetEnvIfNoCase Authorization "Basic ([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$1
This will strip the prefix "Basic " from the authorization header.
Changing this to:
SetEnvIfNoCase Authorization "Basic ([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$0
worked for me. Maybe this should be updated in the shipped .htaccess-File.
History
#1 Updated by Peter Rauber over 1 year ago
Still present for me. Is this bugtracker still active?
#2 Updated by Peter Rauber about 1 year ago
Additional information to reproduce:
Here a snippet from my settings.yaml where I configured the Authentication/Provider/Token for HttpBasic
TYPO3:
Flow:
security:
authentication:
authenticationStrategy: oneToken
providers:
RestApiProvider:
provider: PersistedUsernamePasswordProvider
token: TYPO3\Flow\Security\Authentication\Token\UsernamePasswordHttpBasic
When you then send a web-request (including a Authorization-Header) to the flow-instance, you can debug TYPO3\Flow\Security\Authentication\Token\UsernamePasswordHttpBasic and see that the header-data has lost the word 'Basic'.
We use apache2 on several machines, it happens everywhere. Dunno if apache2-related.
#3 Updated by DANIEL Rémy 11 months ago
I also have this kind of issue with Bearer token...
Authorization Bearer e1e9aa6332bde97dcbdf1a7e99472784
I can't read this header in the Request. I need to monkey patch .htaccess in order to access it properly :
SetEnvIfNoCase Authorization "(Bearer )([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$1$2