Signature mismatch when the server behind proxy

[Zolli]

Hi,

I found an issue, when the server (API server) behinds a proxy server, the generated signatures are not equals. It's because the Escher::authenticate() method absolutely not care with the proxy headers.

Scenario: The client sign the request with host: b.website.com, but this host is a proxy that redirects the request to a.website.com. In this case the client uses the b.website.com host to signs the request, but the server uses the a.website.com host.

Proposal: When getting the host from the request, first check if any X-Forwarded-* header are present and use this address as host.

[Zolli]

Any news on this?