Slim: Unable to catch Authorization header

Basic authentication header should look something like this.

Authorization: Basic cm9vdDp0MDBy

Authentication most likely fails because of non standard header. You can also pass credentials like this:

$.ajax({
    method: "POST",
    url: "/admin",
    username: "root",
    password: "t00r"
});

With Slim 2.4.3 I am able to access Authorization header via both $app->request->headers->get("Authorization") and $_SERVER["HTTP_AUTHORIZATION"].

<?php

require "vendor/autoload.php";

$app = new \Slim\Slim();

$app->add(new \Slim\Middleware\HttpBasicAuthentication(array(
    "path" => "/admin",
    "realm" => "Here be dragons.",
    "users" => array(
        "root" => "t00r",
        "user" => "passw0rd"
    )
)));

$app->get("/admin", function() use ($app) {
    var_dump($app->request->headers->get("Authorization"));
    var_dump($_SERVER["HTTP_AUTHORIZATION"]);
});

$app->run();

Gives the following result:

string 'Basic cm9vdDp0MDBy' (length=18)
string 'Basic cm9vdDp0MDBy' (length=18)

This answer could be helpful.

I ran into this same issue. I discovered Josh Lockhart's (@codeguy) comment on the Slim forums.

There, he refers to Volker Grabsch's (@vog) comment on PHP manual which explains that PHP only parses the Authorization header for Basic and Digest.

The solution suggested there is to have Apache rewrite the header to essentially prefix "HTTP_" which will then allow PHP to parse it properly.

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I don't know the backstory on why PHP has such strict regulations on parsing the Authorization header. Hopefully, PHP will at least support OAuth soon as this is a common problem, e.g. the PHP oauth package has reported a related bug.

I think it would be great if Slim supported this in the mean time by modifying Slim/Environment.php to pull the Authorization header from the request and adding it to the environment. Then, modify Slim/Http/headers.php to add 'AUTHORIZATION' to the special headers.

It looks like Mika Tuupola (@tuupola) may have indirectly encountered this issue as well as indirectly noted in PR https://github.com/codeguy/Slim/pull/898 and is using the Apache rewrite rule.

It looks like there isn't a really easy solution for this since the only thing you can get from PHP is All The Things!™ (see getallheaders).

With current version of Slim if you add the following to .htaccess file.

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

You can then access even non standard header with any of these.

print $_SERVER["HTTP_AUTHORIZATION"];
print apache_request_headers()["Authorization"];
print $app->request->headers("Authorization");

@tuupola How would you suggest this to work under nginx + php-fpm? Have nginx rewrite the header as well?

I'd like to note that with Apache 2.4.7, PHP 5.6.15 with Apache mod_proxy_fcgi PHP-FPM using a ProxyMassMatch directive to send *.php requests over to PHP, setting an environment variable "HTTP_AUTHENTICATION" gets mangled by something, and I wind up with $_SERVER['REDIRECT_HTTP_AUTHENTICATION'] instead. I am not sure where the 'REDIRECT_' part is coming from, but you might want to also check for this as an edge case. I haven't figured out why yet, and I've had to add a kludge fix to look for this specifically.

This is an undocumented Apache "feature". There was a https://github.com/slimphp/Slim/pull/898 for Slim 2. Something similar could be done for Slim 3.

while using this in .htaccess, i got 500 error;
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

You can allow Apache to forward the Auth header with the directive:
CGIPassAuth On

You can put it in your .htaccess or in the apache configuration

I've stumbled upon this as well, and because I found this on Google in the first results here is how I managed it

$request->getHeader("Authorization");