Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for Basic Auth not being passed through with PHP in CGI mode #32

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,63 @@ $args = array(

[oauth]: https://github.com/WP-API/OAuth1
[RFC2617]: https://tools.ietf.org/html/rfc2617

---

## Forcing all API requests to require authorisation

A few notes on making this work on servers with php-cgi.

### .htaccess
If you're using php-cgi you'll need to tweak the .htaccess file slightly. (more info about the issue: https://github.com/LearningLocker/learninglocker/issues/131)

Change the Wordpress block in .htaccess in the root folder to:

```
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

# END WordPress
```

Then you'll want to stop Wordpress from overwriting this if you save permalinks.

Add this to your functions.php file: (You'll still be able to update your permalinks don't worry...)

```
// Stop WordPress from modifying .htaccess permalink rules
add_filter('flush_rewrite_rules_hard','__return_false');
```

### Check for authorisation
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure this part is necessary in the context of this plugin.


Now we're able to get the right headers when running php-cgi, add this to your functions.php file:

What we're doing here is returning the result if they are logging in, or returning an error if they are not logged in.

```
// Check user is logged in before returning API results
add_filter('rest_pre_dispatch', function ($result) {

global $DI;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what this is for?


if (is_user_logged_in()) {
return $result;
} else {
return [
'error_code' => 'rest_requires_authentication',
'message' => 'Using REST requires authentication.',
'status' => '403'
];
}
});


```
12 changes: 12 additions & 0 deletions basic-auth.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,18 @@ function json_basic_auth_handler( $user ) {
return $user;
}

if ( !isset( $_SERVER['PHP_AUTH_USER'] ) && ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) || isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) ) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this file plugin doesn't always use spaces after a ! but the WordPress coding standards suggest to have them

if ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
$header = $_SERVER['HTTP_AUTHORIZATION'];
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about naming this variable $authorization_header to make it more explicit?

} else {
$header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
}

if ( !empty( $header ) ) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's check that it's a basic access auth here:

if ( 'Basic ' === substr( $header, 0, 6 ) ) {

list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', base64_decode(substr( $header, 6 ) ) );
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be explode( ':', base64_decode( substr( $header, 6 ) ), 2 ); in case password contains a colon.

}
}

// Check that we're trying to authenticate
if ( !isset( $_SERVER['PHP_AUTH_USER'] ) ) {
return $user;
Expand Down