Fix for Basic Auth not being passed through with PHP in CGI mode #32
Conversation
|
FYI pulled into https://github.com/eventespresso/Basic-Auth |
|
This is sorely needed, this was hard to track. Please consider merging. |
|
Just flagged this in core slack to see if @rmccue et al can take a look |
|
Any progress on this issue? For the moment I am using @mnelson4 version https://github.com/eventespresso/Basic-Auth which works A+ |
|
The solution developed here https://github.com/eventespresso/Basic-Auth is the best one in my opinion because it does not suggest any Apache-specific solutions. The handling of HTTP headers is best handled in PHP, then the plugin just works with any web server. Thanks @mnelson4! |
|
@rmccue Could you review this? |
|
Thanks so much, this fixed my issue with Basic Authentication not working 👍 |
| } | ||
|
|
||
| if ( !empty( $header ) ) { | ||
| list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', base64_decode(substr( $header, 6 ) ) ); |
There was a problem hiding this comment.
I think it should be explode( ':', base64_decode( substr( $header, 6 ) ), 2 ); in case password contains a colon.
| @@ -18,6 +18,18 @@ function json_basic_auth_handler( $user ) { | |||
| return $user; | |||
| } | |||
|
|
|||
| if ( !isset( $_SERVER['PHP_AUTH_USER'] ) && ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) || isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) ) { | |||
There was a problem hiding this comment.
I know this file plugin doesn't always use spaces after a ! but the WordPress coding standards suggest to have them
| $header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; | ||
| } | ||
|
|
||
| if ( !empty( $header ) ) { |
There was a problem hiding this comment.
Let's check that it's a basic access auth here:
if ( 'Basic ' === substr( $header, 0, 6 ) ) {
| @@ -18,6 +18,18 @@ function json_basic_auth_handler( $user ) { | |||
| return $user; | |||
| } | |||
|
|
|||
| if ( !isset( $_SERVER['PHP_AUTH_USER'] ) && ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) || isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) ) { | |||
| if ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) { | |||
| $header = $_SERVER['HTTP_AUTHORIZATION']; | |||
There was a problem hiding this comment.
What do you think about naming this variable $authorization_header to make it more explicit?
| // Check user is logged in before returning API results | ||
| add_filter('rest_pre_dispatch', function ($result) { | ||
|
|
||
| global $DI; |
| add_filter('flush_rewrite_rules_hard','__return_false'); | ||
| ``` | ||
|
|
||
| ### Check for authorisation |
There was a problem hiding this comment.
Not sure this part is necessary in the context of this plugin.
|
This was approved a year ago. A number of hosts use FastCGI and telling customers to use an htaccess workaround to force HTTP for auth is not really a good security practice. Can this please be revisited for WP 5.5? |
#1 Issue fixed.
PHP_AUTH_USER & PHP_AUTH_PW are now being set if PHP is using fast CGI