joehoyle
commented
8 years ago Hmm I'm not sure if this is any official header and therefore should be included, I'm leaning towards no, but let's open this for discussion.
Open panic175 opened 9 years ago
joehoyle
commented
8 years ago Hmm I'm not sure if this is any official header and therefore should be included, I'm leaning towards no, but let's open this for discussion.
fatica
commented
7 years ago I'd like to mention that we see this regularly.
Where REDIRECT_HTTP_AUTHORIZATION is present, but HTTP_AUTHORIZATION is not.
I understand this occurs when PHP is running in FastCGI mode and the HTTP_AUTHORIZATION is set via SetEnv or .htaccess directives such as
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}
FWIW the same issue occurs in the Wordpress Basic Auth plugin.
We've handled this as described in this article: https://www.metalocator.com/wp-json-basic-auth-with-fastcgi/
The prefix is present on some configurations of PHP with FastCGI. So I guess OAuth1 should check for both. See here: https://github.com/WP-API/api-console/issues/1#issuecomment-65044837