Slim: Authorization not in header

That is how you read a header field.

Call to $request->getHeader("Authorization") works fine. However if you are using Apache and send something else than valid Authorization: Basic header PHP won't have access to it unless you add the following to your .htaccess file.

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

@tuupola Thanks it works. I am using apache. Does this also fix if am using nginx?
For apache server, this is how I had hacked it :dart:

$headers = apache_request_headers();
$headers["Authorization"];

@bmutinda The missing Authorization header appears to be an Apache only thing.

On Apache 2.4 (before 2.4.13) with PHP-FPM this rewrite would work

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

but it will result in a REDIRECT_HTTP_AUTHORIZATION header which is still not accessible by

$request->getHeader("Authorization")

Apache 2.4.13 introduced a CGIPassAuth directive that would allow passing the Authorization header to the script although I haven't tested this myself.

For now the only workarounds are to either access $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] or use a custom header name.

Just FYI, https://github.com/slimphp/Slim/pull/898 was Slim 2 pull request regarding this. Did not know about CGIPassAuth. Thanks for the tip!

Thanks I was only searching for Slim 3. Any chance a similar PR would be accepted for 3?

@akrabat

I have this issue and cant solve it. I am using nginx and Slim 3 heres my route

`$app->get('/api/private/offers', function($request, $response, $next){

//$headers = apache_request_headers();
$headers = $request->getHeaders();
var_dump($headers);`

})

Here is the output

`array (size=11)
 'HTTP_COOKIE' => 
 array (size=1)
  0 => string 'PHPSESSID=p8r0lrt3ujkj24jac72hnh1fqs' (length=36)
 'HTTP_ACCEPT_LANGUAGE' => 
  array (size=1)
  0 => string 'en-US,en;q=0.9' (length=14)
  'HTTP_ACCEPT_ENCODING' => 
  array (size=1)
  0 => string 'gzip, deflate' (length=13)
  'HTTP_ACCEPT' => 
  array (size=1)
  0 => string 
  'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' (length=85)
   'HTTP_UPGRADE_INSECURE_REQUESTS' => 
array (size=1)
  0 => string '1' (length=1)
   'HTTP_USER_AGENT' => 
array (size=1)
  0 => string 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36' (length=114)
    'HTTP_CACHE_CONTROL' => 
array (size=1)
  0 => string 'max-age=0' (length=9)
    'HTTP_CONNECTION' => 
array (size=1)
  0 => string 'keep-alive' (length=10)
    'Host' => 
array (size=1)
  0 => string 'offline-report.test' (length=19)
   'CONTENT_LENGTH' => 
array (size=1)
  0 => string '' (length=0)
    'CONTENT_TYPE' => 
array (size=1)
  0 => string '' (length=0)`

Notice that 'Authorization' header is not included

I enabled the CORS as per Slim Docs

`$app->options('/{routes:.+}', function ($request, $response, $args) {
return $response;
});

$app->add(function ($req, $res, $next) {
$response = $next($req, $res);
return $response
->withHeader('Access-Control-Allow-Origin', '*')
->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
});`

Trying

    //$headers = apache_request_headers();

Still same result

But I return it to console, its there, I am so confused.

    return json_encode($request->getHeader('Authorization');

    0 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9VTTFSVEk1TVVaQ01FRkJPVFkxUkVReE5rUXdNelEwT0VFd1FVSTVSVGsxTkVaRU5ESXdRUSJ9.eyJpc3MiOiJodHRwczovL2NoZWF0c2hlZXQuYXV0aDAuY29tLyIsInN1YiI6Imdvb2dsZS1vYXV0aDJ8MTA2ODQ2MTU0MzE1OTcxNTU5NjczI

Do you have in idea for this? I am using NGINX

I've never used nginx. Maybe ask on the forums.