Stripped Authorization header in Apache since v2.4.13 runs in trouble with this package

[2case]

We run in some trouble while Apache strip the Authorization header since version 2.4.13. You have to add

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

to your .htaccess to enable it.

[bwaidelich]

Shouldn't that be enough: https://github.com/neos/flow-development-collection/blob/19ffef83112b88b05f13ead5cb8534058d452a02/Neos.Flow/Resources/Private/Installer/Distribution/Defaults/Web/.htaccess#L55 ?

[bwaidelich]

Shouldn't that be enough: https://github.com/neos/flow-development-collection/blob/19ffef83112b88b05f13ead5cb8534058d452a02/Neos.Flow/Resources/Private/Installer/Distribution/Defaults/Web/.htaccess#L55 ?

[2case]

No, since that only triggert on Basic authentication and not on Bearer authentication. Also the destination $_SERVER key is different (HTTP_ vs REMOTE_ not sure if the flow/neos subsystem triggers on that)

[kitsunet]

In general I found that the current code for the token from headers is really brittle, it needs to account for Authentication headers being an arry, for Basic authentication AND it has no way to know if the Bearer token was actually meant for it. IMHO there should be a way to identify the token to make sure it was actually meant to be a token auth token? Maybe that is fine though as the repo will just return null and we can then ignore the result...

[kdambekalns]

I can't tell much about this, as I have mot been using Apache HTTPD for ages now.

But I would think this is rather an issue with the Apache setup, and as such this package does not need to be changed – except maybe mentioning possible problems in the README?