Commit 5e9cf61a authored by Daniel Stone's avatar Daniel Stone Committed by Ana Rute Mendes
Browse files

HACK: Conduit: Accept OAuth2 Authorization header

This is really lame. The Ruby OAuth2 client can only pass its token in
the form data (which Phab is not prepared to accept), or as part of the
Authorization header (which PHP strips out).

Use a function only available in newer PHP to scrape the Authorization
header from the raw stream.

I have no idea what the correct fix is.
parent f07c152b
......@@ -362,6 +362,20 @@ final class PhabricatorConduitAPIController
$access_token = idx($metadata, 'access_token');
// Some OAuth2 clients only like to do an Authorization header. This
// would be the same Authorization header which PHP strips from us.
// Luckily apache_request_headers() seems to work.
if (!$access_token) {
$all_headers = apache_request_headers();
if (isset($all_headers['Authorization'])) {
$auth_header = explode(' ', $all_headers['Authorization']);
if (count($auth_header) == 2 && $auth_header[0] == 'Bearer') {
$access_token = $auth_header[1];
if ($access_token) {
$token = id(new PhabricatorOAuthServerAccessToken())
->loadOneWhere('token = %s', $access_token);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment