From 63cf4a3d34846167a80166f28ef91a18a8f75ca0 Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Thu, 24 Mar 2016 21:53:11 +0900
Subject: [PATCH] Add a middleware for authentication with CGI wrap

If the authorization header is stripped by CGI wrap,
the server can be configured to send the value along
in an environment variable. If the server admin sticks
to this convention, Flarum can now use this variable.

This is supposed to take care of #384.
---
 framework/core/src/Api/Server.php             |  1 +
 .../core/src/Http/Middleware/SharedHosts.php  | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 framework/core/src/Http/Middleware/SharedHosts.php

diff --git a/framework/core/src/Api/Server.php b/framework/core/src/Api/Server.php
index 59c3090f0..629b0355c 100644
--- a/framework/core/src/Api/Server.php
+++ b/framework/core/src/Api/Server.php
@@ -33,6 +33,7 @@ class Server extends AbstractServer
             $pipe->pipe($path, $app->make('Flarum\Api\Middleware\FakeHttpMethods'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\StartSession'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\RememberFromCookie'));
+            $pipe->pipe($path, $app->make('Flarum\Http\Middleware\SharedHosts'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\AuthenticateWithSession'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\SetLocale'));
diff --git a/framework/core/src/Http/Middleware/SharedHosts.php b/framework/core/src/Http/Middleware/SharedHosts.php
new file mode 100644
index 000000000..d96c2c800
--- /dev/null
+++ b/framework/core/src/Http/Middleware/SharedHosts.php
@@ -0,0 +1,35 @@
+<?php
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Http\Middleware;
+
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Zend\Stratigility\MiddlewareInterface;
+
+class SharedHosts implements MiddlewareInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function __invoke(Request $request, Response $response, callable $out = null)
+    {
+        $SERVER = $request->getServerParams();
+
+        // CGI wrap may not pass on the Authorization header.
+        // In that case, the web server can be configured
+        // to pass its value in an env variable instead.
+        if (isset($SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+            $request = $request->withHeader('authorization', $SERVER['REDIRECT_HTTP_AUTHORIZATION']);
+        }
+
+        return $out ? $out($request, $response) : $response;
+    }
+}