33

I am using POSTMAN to send a GET request into the api with a header containing Authorization.

I know the data header works because if it doesn't the route returns a 401 error.

I wanted to get the Authorization header like so:

$access_token = Request::header('Authorization');

But noticed that it returns NULL.

So I tried to catch the values with:

die(var_dump(Request::header()));

And noticed that it doesn't contain any Authorization header. Just host to cookie headers.

update

Should get Authorization: Bearer ACCESS TOKEN

majidarif
  • 18,694
  • 16
  • 88
  • 133

5 Answers5

51

What POSTMAN Version did you use?

Are you on your local machine or managed server, some hosting companies don't allow AUTHORIZATION HEADER.

.htaccess modification

 RewriteEngine On
 RewriteCond %{HTTP:Authorization} .
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
dschniepp
  • 1,083
  • 12
  • 19
  • Latest version. I'm on my local machine. I'll try this later. – majidarif Jan 01 '14 at 08:16
  • You try a `curl -H "Authorization: Bearer " http://localhost`, just to be on the safe side that it's not an issue of POSTMAN. – dschniepp Jan 02 '14 at 12:07
  • Thanks for this solution, save my life and time :) +1 – rigobcastro Feb 11 '15 at 23:12
  • 1
    Thanks .. this solution helped me But can you please explain what this code exactly does??Because i dont know much about Htaccess commands – Sameer Shaikh May 04 '15 at 06:16
  • @SameerShaikh the code is forwarding the _HTTP Authorization Header_ via an explicitly mapping to the env variable _ HTTP_AUTHORIZATION_. For more information about this kind of "Htaccess commands" check the docs of the Apache Module __mod_rewrite__. – dschniepp May 08 '15 at 23:15
  • So helpful, had the same issue, never would have figured it out on my own, thanks. :) – user3718908x100 Aug 24 '15 at 16:30
  • If you have complete control over your server, is there a way to allow the Authorization header, instead of having to add bypass it in this way? – andrewtweber Dec 07 '15 at 16:09
  • this is in the latest Laravel 5.8. check out this answer https://stackoverflow.com/a/59427256/372215 – Artistan Dec 20 '19 at 15:00
  • @dschniepp : still not working. I have added this thing in to public folders .htaccess. I am using Laravel 6 and ubuntu 18.0.4 version. All the time it gives me null value in return. – aliasgar vanak Apr 13 '20 at 08:30
8

The answer from dschniepp is right, but I have problems with this too. You have to do two things:

  1. Check if mod_rewrite is available and activated.
  2. Update the .htaccess file of Laravel, located in the public folder.

In the first point you have to check if the "mod_rewrite" module is available through php_info function, in a separate php file. Then if it is available you have to activate it, that depends on the configuration of your webserver, in my Nitrous box I added these lines to my httpd.conf file:

<IfModule mod_rewrite>
   RewriteEngine On
</IfModule>

Or you can activate the module in the .htaccess file too:

RewriteEngine On

Then in the same .htaccess file located in public folder in the root of the laravel app, you have to add these lines:

RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

These lines worked for me. Your .htaccess file should look like this:

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

    # Redirect Trailing Slashes...
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

And that's it, you should have the Authorization header in the Request::header() array. Just to clarify these is an issue with Apache, not with Laravel itself.

dschniepp
  • 1,083
  • 12
  • 19
daver
  • 445
  • 5
  • 12
4

In Laravel 5.5 you can read herders by using apache_request_headers simply read it in your controller by the following lines

$headers = apache_request_headers();
dd($headers['Authorization']);

Make sure you have added use Illuminate\Http\Request; in your controller

Rashi Goyal
  • 933
  • 9
  • 15
4

Missing authorization headers with Apache virtual host.

Apart of the solution above the culprit may be because Apache server does not allow authorization header to pass through virtual host.

To solve this issue you have to add the line allowing Apache to pass authorization header to PHP in you virtual hosts configuration. E.g. for Ubuntu 18.04 the virtual host is defined in /etc/apache2/sites-available/your-site-name.conf, see this tutorial for better context.

<VirtualHost>
    # ...
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    # ...
</VirtualHost>

After updating the virtual host config do not forget to restart Apache (again e.g. Ubuntu 18.04 sudo systemctl restart apache2).

This should fix the issue.

Here is the original answer.

Valentine Shi
  • 6,604
  • 4
  • 46
  • 46
0

Posting this here as it solved my problem. This applies for sub domains but can obviously be adjusted for plain domains as well. Applied this within my routes file at the top.

$newUrl = '';
try{
    $urlParts = parse_url($_SERVER['HTTP_REFERER']) ?? '';
    $newUrl = $urlParts['scheme'] . "://" . $urlParts['host'];
    if(!stristr($newUrl, '.yourdomain.com')){
        $newUrl = 'false';
    }
}catch(Exception $e)
{}
header('Access-Control-Allow-Origin: ' . $newUrl);
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: access-control-allow-origin,cache-control,content-type,postman-token');
Brandon Korenek
  • 167
  • 3
  • 14