<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[47239] trunk: REST API: Add support for the REDIRECT_HTTP_AUTHORIZATION header.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/47239">47239</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/47239","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>TimothyBlynJacobs</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2020-02-10 16:06:58 +0000 (Mon, 10 Feb 2020)</dd>
</dl>

<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>REST API: Add support for the REDIRECT_HTTP_AUTHORIZATION header.

Previously the REST API did not account for server configurations where the Authorization header must be added using ModRewrite. This caused major DUX issues when trying to use custom authentication mechanisms.

Fixes <a href="https://core.trac.wordpress.org/ticket/47077">#47077</a>.
Props dshanske, cklosows.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesrestapiclasswprestserverphp">trunk/src/wp-includes/rest-api/class-wp-rest-server.php</a></li>
<li><a href="#trunktestsphpunittestsrestapirestserverphp">trunk/tests/phpunit/tests/rest-api/rest-server.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesrestapiclasswprestserverphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/class-wp-rest-server.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/class-wp-rest-server.php   2020-02-10 15:15:07 UTC (rev 47238)
+++ trunk/src/wp-includes/rest-api/class-wp-rest-server.php     2020-02-10 16:06:58 UTC (rev 47239)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1380,6 +1380,12 @@
</span><span class="cx" style="display: block; padding: 0 10px">                foreach ( $server as $key => $value ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        if ( strpos( $key, 'HTTP_' ) === 0 ) {
</span><span class="cx" style="display: block; padding: 0 10px">                                $headers[ substr( $key, 5 ) ] = $value;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        } elseif ( 'REDIRECT_HTTP_AUTHORIZATION' === $key && empty( $server['HTTP_AUTHORIZATION'] ) ) {
+                               /*
+                                * In some server configurations, the authorization header is passed in this alternate location.
+                                * Since it would not be passed in in both places we do not check for both headers and resolve.
+                                */
+                               $headers['AUTHORIZATION'] = $value;
</ins><span class="cx" style="display: block; padding: 0 10px">                         } elseif ( isset( $additional[ $key ] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                                $headers[ $key ] = $value;
</span><span class="cx" style="display: block; padding: 0 10px">                        }
</span></span></pre></div>
<a id="trunktestsphpunittestsrestapirestserverphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/rest-api/rest-server.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/rest-api/rest-server.php        2020-02-10 15:15:07 UTC (rev 47238)
+++ trunk/tests/phpunit/tests/rest-api/rest-server.php  2020-02-10 16:06:58 UTC (rev 47239)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1373,6 +1373,64 @@
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertEquals( '', rest_get_server()->sent_body );
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        /**
+        * @ticket 47077
+        */
+       public function test_http_authorization_header_substitution() {
+               $headers        = array( 'HTTP_AUTHORIZATION' => 'foo' );
+               $parsed_headers = rest_get_server()->get_headers( $headers );
+
+               $this->assertSame(
+                       array( 'AUTHORIZATION' => 'foo' ),
+                       $parsed_headers
+               );
+       }
+
+       /**
+        * @ticket 47077
+        */
+       public function test_redirect_http_authorization_header_substitution() {
+               $headers        = array( 'REDIRECT_HTTP_AUTHORIZATION' => 'foo' );
+               $parsed_headers = rest_get_server()->get_headers( $headers );
+
+               $this->assertSame(
+                       array( 'AUTHORIZATION' => 'foo' ),
+                       $parsed_headers
+               );
+       }
+
+       /**
+        * @ticket 47077
+        */
+       public function test_redirect_http_authorization_with_http_authorization_header_substitution() {
+               $headers        = array(
+                       'HTTP_AUTHORIZATION'          => 'foo',
+                       'REDIRECT_HTTP_AUTHORIZATION' => 'bar',
+               );
+               $parsed_headers = rest_get_server()->get_headers( $headers );
+
+               $this->assertSame(
+                       array( 'AUTHORIZATION' => 'foo' ),
+                       $parsed_headers
+               );
+       }
+
+       /**
+        * @ticket 47077
+        */
+       public function test_redirect_http_authorization_with_empty_http_authorization_header_substitution() {
+               $headers        = array(
+                       'HTTP_AUTHORIZATION'          => '',
+                       'REDIRECT_HTTP_AUTHORIZATION' => 'bar',
+               );
+               $parsed_headers = rest_get_server()->get_headers( $headers );
+
+               $this->assertSame(
+                       array( 'AUTHORIZATION' => 'bar' ),
+                       $parsed_headers
+               );
+       }
+
</ins><span class="cx" style="display: block; padding: 0 10px">         public function _validate_as_integer_123( $value, $request, $key ) {
</span><span class="cx" style="display: block; padding: 0 10px">                if ( ! is_int( $value ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        return new WP_Error( 'some-error', 'This is not valid!' );
</span></span></pre>
</div>
</div>

</body>
</html>