7

I am passing an Authorization: Bearer { Token } as a HTTP request to my Symfony Rest Controller.

My Request:

GET /app_dev.php/api/members HTTP/1.1
Host: localhost
Authorization: Bearer 123456789
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

Inside My controller:

$this->getRequest()->headers;

For some reason when I use Symfony's Request method the Authorization header isn't available to my controller. When I use PHP's getallheaders() the Authorization header shows up as expected. Any Ideas on why Symfony isn't seeing it?

Thanks

Pathsofdesign
  • 4,678
  • 5
  • 18
  • 26
  • I remember I had sort of the same trouble trying to reach a server parameter called webauth in Symfony. I have this in my code: $this->get('request')->server; if this doesn't help I'll research further of what I did to get the server parameter – Cesc Oct 18 '13 at 09:14
  • @Francesc - I wasn't able to reach the Authorization header via $this->get('request')->server; – Pathsofdesign Oct 18 '13 at 16:05

5 Answers5

24

It is most likely stripped by Apache. Bearer is not a known scheme, it is sort of proprietary.

Therefore, either you use a custom header, like X-Bearer-Token: 123456789 or you can try to add this rewrite condition in your .htaccess

RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
Boris Guéry
  • 47,316
  • 8
  • 52
  • 87
  • 1
    If Apache is stripping 'Authorization' is there a reason why I can access it via raw PHP and not Symfony? I also tried the RewriteConds, no success. – Pathsofdesign Oct 18 '13 at 16:10
  • 2
    Sorry, I placed the Rewrite conditions at the bottom of .htaccess with no results, but when I placed the code at the top of .htaccess it does work. Thanks for your help. – Pathsofdesign Oct 18 '13 at 17:31
  • 1
    Are you able to add a bit of explaination about 1. why it's visible to PHP's getallheaders() and 2. why this rewrite rule works? – Caleb Fidecaro Jun 10 '14 at 05:03
  • Is there any other way, without doing the `rewrite condition in your .htaccess`. I'm confused because, some clients such as Android,iOS, Web clients/devices are working properly without the need for rewrite condition. But when using Android-React-Native, the problem exist. – ekouChiq Aug 11 '16 at 05:20
4

There seems to be a disconnect here between the question and the accepted answer. If the Authorization header is available to PHP's getallheaders() then Apache clearly isn't stripping it. I'd guess that the problem is related to the use of Symfony. $this->getRequest()->headers doesn't return an object containing headers, it returns a HeaderBag. Assuming the header is visible to getallheaders(), this works:

$this->getRequest()->headers->all();

Or more specifically:

$this->getRequest()->headers->get('Authorization');
dazweeja
  • 334
  • 2
  • 3
  • Actually, he's right. If you try to get a JSON Web Token that is part of the headers using $headers = $request->headers->all(), there's no "authorization" key in the returned Headers. The Apache rewrite rules solved the issue – Yann Boisclair-Roy Mar 17 '16 at 14:45
  • 1
    I am having the same issue on Symfony3. I can get the authorization header from raw php but not from symfony – AntonioCS Mar 28 '16 at 13:13
4

Symfony is using php global variable $_SERVER to create Request->headers variable, but $_SERVERdoes not contain all headers. For getting all headers you have to use php native function getallheaders() more info: http://php.net/manual/en/function.getallheaders.php

Nikdyvice
  • 101
  • 4
2

seems like the apache mod_php "eats" the authorization header.

this worked for me:

if (!$request->headers->has('Authorization') && function_exists('apache_request_headers')) {
        $all = apache_request_headers();
        if (isset($all['Authorization'])) {
            $request->headers->set('Authorization', $all['Authorization']);
        }
    }
Blafasel42
  • 187
  • 7
0

You can also use apache_request_headers(); to get the original headers which will have the Authorization header.

user1842104
  • 181
  • 5