Bug #44684

Authorization header redirect in .htaccess strips the Basic-prefix

Added by Peter Rauber almost 9 years ago. Updated about 7 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2013-01-21
Due date:
% Done:

0%

Estimated time:

Description

The .htaccess file in the web folder contains this command:
SetEnvIfNoCase Authorization "Basic ([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$1

This will strip the prefix "Basic " from the authorization header.

Changing this to:
SetEnvIfNoCase Authorization "Basic ([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$0

worked for me. Maybe this should be updated in the shipped .htaccess-File.

#1

Updated by Peter Rauber over 7 years ago

Still present for me. Is this bugtracker still active?

#2

Updated by Peter Rauber over 7 years ago

Additional information to reproduce:

Here a snippet from my settings.yaml where I configured the Authentication/Provider/Token for HttpBasic

TYPO3:
  Flow:
    security:
      authentication:
        authenticationStrategy: oneToken
        providers:
          RestApiProvider:
            provider: PersistedUsernamePasswordProvider
            token: TYPO3\Flow\Security\Authentication\Token\UsernamePasswordHttpBasic

When you then send a web-request (including a Authorization-Header) to the flow-instance, you can debug TYPO3\Flow\Security\Authentication\Token\UsernamePasswordHttpBasic and see that the header-data has lost the word 'Basic'.

We use apache2 on several machines, it happens everywhere. Dunno if apache2-related.

#3

Updated by DANIEL Rémy about 7 years ago

I also have this kind of issue with Bearer token...

Authorization Bearer e1e9aa6332bde97dcbdf1a7e99472784

I can't read this header in the Request. I need to monkey patch .htaccess in order to access it properly :

SetEnvIfNoCase Authorization "(Bearer )([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$1$2

Also available in: Atom PDF