From bcf863f60f27078550176c5dfdaf75fe77bf621f Mon Sep 17 00:00:00 2001
From: Christian Tietze <me@christiantietze.de>
Date: Mon, 28 Feb 2022 11:18:06 +0100
Subject: [PATCH] Add support for PHP via FastCGI (#15)

---
 src/.htaccess                      |  3 +++
 src/server/logic/EditorService.php | 37 +++++++++++++++++++++---------
 2 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/src/.htaccess b/src/.htaccess
index 9a6ad45..b7e4935 100644
--- a/src/.htaccess
+++ b/src/.htaccess
@@ -1,5 +1,8 @@
 RewriteEngine On
 
+# Forward HTTP BASIC auth headers when using FastCGI
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
 RewriteCond %{THE_REQUEST} !^GET\ .*?/client/([a-z]\.(js|css)|img/|libs/)
 RewriteCond %{THE_REQUEST} !^GET\ .*?/server/theme/
 RewriteCond %{REQUEST_FILENAME} !-f
diff --git a/src/server/logic/EditorService.php b/src/server/logic/EditorService.php
index f260d8e..d8a42eb 100644
--- a/src/server/logic/EditorService.php
+++ b/src/server/logic/EditorService.php
@@ -14,21 +14,36 @@ class EditorService {
             || $methodName == 'createUserConfig');
     }
 
+    // Returns tuple of username/password or [null,null].
+    private function getUserCredentials() {
+        if (isset($_SERVER["REDIRECT_HTTP_AUTHORIZATION"]) && !empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+            list ($auth_type, $cred) = explode (" ", $_SERVER['REDIRECT_HTTP_AUTHORIZATION']);
+            if ($auth_type == 'Basic') {
+                return explode (":", base64_decode($cred));
+            }
+        } else if (isset($_SERVER['PHP_AUTH_USER'])) {
+            return array( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
+        }
+        return array(null, null);
+    }
+    
     // Returns one of: 'logged-in', 'no-credentials', 'wrong-credentials'
     public function getLoginState() {
-        if (!isset($_SERVER['PHP_AUTH_USER'])) {
-            return 'no-credentials';
-        } else {
-            $userInfo = $this->context->getConfig()['user.' . $_SERVER['PHP_AUTH_USER']];
-            if (isset($userInfo)) {
-                $loginHash = hash($userInfo['type'], $_SERVER['PHP_AUTH_PW'] . $userInfo['salt']);
-                if ($loginHash == $userInfo['hash']) {
-                    return 'logged-in';
-                }
-            }
+        list ($auth_user,  $auth_pw) = $this->getUserCredentials();
 
-            return 'wrong-credentials';
+        if (!($auth_user && $auth_pw)) {
+            return 'no-credentials';
         }
+
+        $userInfo = $this->context->getConfig()['user.' . $auth_user];
+        if (isset($userInfo)) {
+            $loginHash = hash($userInfo['type'], $auth_pw . $userInfo['salt']);
+            if ($loginHash == $userInfo['hash']) {
+                return 'logged-in';
+            }
+        }
+
+        return 'wrong-credentials';
     }
 
     public function assertLoggedIn() {