From 2db22428987baa2ab3e315bd1dcb8b7e3f72c7d2 Mon Sep 17 00:00:00 2001
From: Christian Vette <6884391+cvette@users.noreply.github.com>
Date: Tue, 31 May 2022 09:14:15 +0200
Subject: [PATCH] BUGFIX: Multiple authorization headers

This change got overwritten by PR #8
---
 Classes/Security/SessionStartingHashToken.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/Classes/Security/SessionStartingHashToken.php b/Classes/Security/SessionStartingHashToken.php
index 4af63bf..239c0bc 100644
--- a/Classes/Security/SessionStartingHashToken.php
+++ b/Classes/Security/SessionStartingHashToken.php
@@ -26,9 +26,14 @@ public function updateCredentials(ActionRequest $actionRequest)
         $authenticationHashToken = $actionRequest->getHttpRequest()->getQueryParams()['_authenticationHashToken'] ?? null;
 
         if (!$authenticationHashToken) {
-            $authorizationHeader = $actionRequest->getHttpRequest()->getHeader('Authorization');
-            if ($authorizationHeader) {
-                $authenticationHashToken = str_replace('Bearer ', '', $authorizationHeader);
+            $authorizationHeaders = $actionRequest->getHttpRequest()->getHeader('Authorization');
+            if (!empty($authorizationHeaders)) {
+                foreach ($authorizationHeaders as $authorizationHeader) {
+                    if (strpos($authorizationHeader, 'Bearer ') === 0) {
+                        $authenticationHashToken = str_replace('Bearer ', '', $authorizationHeader);
+                        break;
+                    }
+                }
             }
         }