Handling resources which need authorization

[simonseyock]

At the moment there is no possibility in the proxy to request resources that need authorization. If you add 'authorization' headers those are meant for access of the proxy.php file and will be filtered by most web servers like apache, iis or nginx. Each them have abilities to turn this option off. But I don't think that is a proper solution because you might want to protect the proxy with authorization, too - Therefore you need two different authorization headers.

I needed a solution for this, so i researched a little bit and encounterd the 'Proxy-Authorization' and 'Proxy-Authenticate' headers which would normally be fitting perfectly for this cause - but this is not meant to be used in scripts running inside the browser. For security reasons. The w3 standard prohibts using any header starting with 'Proxy-'.

So I created a solution in our version of the proxy which uses a custom http header named 'X-Proxy-Forward-Authorization' where the authorization information can be saved which will be used to access the resource.

See KlausBenndorf@7a5644e

If you are interested i can provide a pull request.

[simonseyock]

Might be better to name it 'Proxy-Forward-Authorization' as the use of the X- prefix is discouraged nowadays. (https://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions)

[jcubic]

I've used this code for basic Authentication:

if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
    curl_setopt($ch, CURLOPT_USERPWD, $_SERVER['PHP_AUTH_USER'] . ":" . $_SERVER['PHP_AUTH_PW']);
}

I've also needed to add CORS headers in php because basic auth require Access-Control-Allow-Origin header to be set to requested origin and it can't be asterisk.

you can see my code here proxy.php