tuupola
Fix Authorization header
Fixes #89
Since getHeaderLine() can return a coma separated string, i add an explode and a foreach.
Updated tests to reflect the change
I agree to this solution. In my setup I provide a slim API for a frontend Vue application were I wanted to use basic auth to secure the API endpoint and a bearer token for user authentication. So my header looked like this:
Authorization: Basic <base64UserPasswd>, Bearer <jsonWebToken>
The approach from @willoucom made that work!
AFAIK header which looks like below is invalid syntax.
Authorization: Basic <base64UserPasswd>, Bearer <jsonWebToken>
We occured the same issue in another scenario. It seems that the combination of AWS ALB, EKS ingress, an apache pod and HTTP/2 leads to a duplication of the header somewhere down the road, resulting in a Header like: Authorization: Basic foo,Basic foo
I agree that this is basically not the problem of the library, but it would add some resilience if the lib would just take the first header starting with "Basic".
I agree with @tuupola , having 2 different authorization is invalid. There are multiple discussions on the Internet about this header and it seems that nobody agrees on a solution.
However, I think the problem with some loadbalancers (e.g. amazon/scaleway/azure) duplicating the header can lead to a lot of problems for developers wanting to use this library (which I consider great). To solve this problem, I can modify my patch to retrieve only the first element of the header and ignore the others, I think this will solve the problem caused by LBs and prevent misuse of the header (i.e. using multiple schemas in the same header).
What do you think about this alternative?