diff --git a/restapi/index.php b/restapi/index.php index 808c45f8a..c09d199a6 100644 --- a/restapi/index.php +++ b/restapi/index.php @@ -3071,7 +3071,12 @@ class RestapiAuthMiddleware implements MiddlewareInterface { /* {{{ */ } /** - * Example middleware invokable class + * Auth middleware invokable class + * + * This methods checks for an api token in the Authorization header or + * a valid session in the cookie `mydms_session`. + * It does not support Basic authentication. It actually treats that + * as a wrong api token and authentication fails. * * @param \Psr\Http\Message\ServerRequestInterface $request PSR7 request * @param \Psr\Http\Server\RequestHandlerInterface $handler @@ -3133,6 +3138,8 @@ class RestapiAuthMiddleware implements MiddlewareInterface { /* {{{ */ $userobj = null; // $logger->log(var_export($environment, true), PEAR_LOG_DEBUG); if(!empty($environment['HTTP_AUTHORIZATION']) && !empty($settings->_apiKey) && !empty($settings->_apiUserId)) { + /* We cannot handle Basic authentication, so skip it */ + if (substr($environment['HTTP_AUTHORIZATION'], 0, 6) != 'Basic ') { $logger->log("Authorization key: ".$environment['HTTP_AUTHORIZATION'], PEAR_LOG_DEBUG); if($settings->_apiKey == $environment['HTTP_AUTHORIZATION']) { if(!($userobj = $dms->getUser($settings->_apiUserId))) { @@ -3160,6 +3167,9 @@ class RestapiAuthMiddleware implements MiddlewareInterface { /* {{{ */ return $response; } $logger->log("Login with apikey as '".$userobj->getLogin()."' successful", PEAR_LOG_INFO); + } else { + $logger->log("Login with Basic auth cannot be handled by AuthMiddleware", PEAR_LOG_INFO); + } } else { $logger->log("Checking for valid session", PEAR_LOG_INFO); require_once("../inc/inc.ClassSession.php");