Commit 28954e97 authored by Daniel Stone's avatar Daniel Stone
Browse files

Conduit: Accept OAuth2 Authorization header

This is really lame. The Ruby OAuth2 client can only pass its token in
the form data (which Phab is not prepared to accept), or as part of the
Authorization header (which PHP strips out).

Use a function only available in newer PHP to scrape the Authorization
header from the raw stream.
Signed-off-by: Daniel Stone's avatarDaniel Stone <>
parent edd91eac
......@@ -362,6 +362,20 @@ final class PhabricatorConduitAPIController
$access_token = idx($metadata, 'access_token');
// Some OAuth2 clients only like to do an Authorization header. This
// would be the same Authorization header which PHP strips from us.
// Luckily apache_request_headers() seems to work.
if (!$access_token) {
$all_headers = apache_request_headers();
if (isset($all_headers['Authorization'])) {
$auth_header = explode(' ', $all_headers['Authorization']);
if (count($auth_header) == 2 && $auth_header[0] == 'Bearer') {
$access_token = $auth_header[1];
if ($access_token) {
$token = id(new PhabricatorOAuthServerAccessToken())
->loadOneWhere('token = %s', $access_token);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment