Merge pull request #10 from cvette/fix/cv-multiple-headers

BUGFIX: Multiple authorization headers
flownative · Jul 26, 2022 · 2f498a0 · 2f498a0
2 parents 6b41fe0 + 2db2242
commit 2f498a0
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/Classes/Security/SessionStartingHashToken.php b/Classes/Security/SessionStartingHashToken.php
@@ -26,9 +26,14 @@ public function updateCredentials(ActionRequest $actionRequest)
         $authenticationHashToken = $actionRequest->getHttpRequest()->getQueryParams()['_authenticationHashToken'] ?? null;
 
         if (!$authenticationHashToken) {
-            $authorizationHeader = $actionRequest->getHttpRequest()->getHeader('Authorization');
-            if ($authorizationHeader) {
-                $authenticationHashToken = str_replace('Bearer ', '', $authorizationHeader);
+            $authorizationHeaders = $actionRequest->getHttpRequest()->getHeader('Authorization');
+            if (!empty($authorizationHeaders)) {
+                foreach ($authorizationHeaders as $authorizationHeader) {
+                    if (strpos($authorizationHeader, 'Bearer ') === 0) {
+                        $authenticationHashToken = str_replace('Bearer ', '', $authorizationHeader);
+                        break;
+                    }
+                }
             }
         }