Add Support for REDIRECT_HTTP_AUTHORIZATION to REST Server

[dshanske]

In WP_REST_Server->get_headers it endeavors to get a subset of headers.

It pulls any header with HTTP, strips the HTTP, and adds it. It adds 'CONTENT_LENGTH', 'CONTENT_MD5', 'CONTENT_TYPE'

Suggesting for compatibility, it pull REDIRECT_HTTP_AUTHORIZATION and add it in as 'Authorization' if HTTP_AUTHORIZATION is not set.

​https://github.com/WP-API/Basic-Auth/issues/35
​https://github.com/WP-API/Basic-Auth/issues/1

This is mentioned as an issue in multiple auth plugins. In the interest of compatibility, this header should be available to the REST endpoint.

[TimothyBlynJacobs]

This seems like a sensible change to me. Do you want to work on a patch @dshanske?

[dshanske]

This should do it.

[TimothyBlynJacobs]

Thanks for the patch @dshanske! I think unit tests would be nice to have here.

Should we double check that HTTP_AUTHORIZATION is not set? Or would that be overkill do you think. Thinking if it is possible for the header value to be stomped on if both keys are set somehow.

[cklosows]

Based off the original request, I believe the REDIRECT_HTTP_AUTHORIZATION value should only be used if the HTTP_AUTHORIZATION value is not set, and maybe also if both values are present and HTTP_AUTHORIZATION is empty:

[...]if HTTP_AUTHORIZATION is not set.

It would be entirely possible for the REDIRECT_HTTP_AUTHORIZATION to stomp on the initial value.

[cklosows]

Added the check for an empty HTTP_AUTHORIZATION header, and 4 unit tests around the two headers.

[TimothyBlynJacobs]

Latest patch fixes minor CS issues.

[TimothyBlynJacobs]

@dshanske could you give an example of how this would fix the issue with the different auth plugins? The REST API Server does not pass the WP_REST_Request object to the rest_authentication_errors filter. So any auth plugin that relied upon the Authorization header would have to manually retrieve the header value anyways.

Is the idea that they would use rest_get_server()->get_headers( $_SERVER )['AUTHORIZATION'] instead of checking against $_SERVER themselves?

[dshanske]

For errors, reading most of the auth plugins, not just my own, authentication isn't done using the identified filter...it is usually done in determine_current_user and only the results would be passed to the filter.

And using a function called get_headers is where most people would start, rather than reading it themselves

[dshanske]

To be clear, determine_current_user does not have access to the information either. I use get_headers in my token endpoint, which is built using the REST API.

[TimothyBlynJacobs]

In 47239:

REST API: Add support for the REDIRECT_HTTP_AUTHORIZATION header.

Previously the REST API did not account for server configurations where the Authorization header must be added using ModRewrite. This caused major DUX issues when trying to use custom authentication mechanisms.

Fixes #47077.
Props dshanske, cklosows.