From 685d5f151793544a433d5f027f3dc87e80ec702f Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Thu, 24 Mar 2016 21:53:11 +0900
Subject: [PATCH] Add a middleware for authentication with CGI wrap

If the authorization header is stripped by CGI wrap,
the server can be configured to send the value along
in an environment variable. If the server admin sticks
to this convention, Flarum can now use this variable.

This is supposed to take care of #384.
---
 src/Api/Server.php                  |  1 +
 src/Http/Middleware/SharedHosts.php | 35 +++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 src/Http/Middleware/SharedHosts.php

diff --git a/src/Api/Server.php b/src/Api/Server.php
index 59c3090f0..629b0355c 100644
--- a/src/Api/Server.php
+++ b/src/Api/Server.php
@@ -33,6 +33,7 @@ class Server extends AbstractServer
             $pipe->pipe($path, $app->make('Flarum\Api\Middleware\FakeHttpMethods'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\StartSession'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\RememberFromCookie'));
+            $pipe->pipe($path, $app->make('Flarum\Http\Middleware\SharedHosts'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\AuthenticateWithSession'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader'));
             $pipe->pipe($path, $app->make('Flarum\Http\Middleware\SetLocale'));
diff --git a/src/Http/Middleware/SharedHosts.php b/src/Http/Middleware/SharedHosts.php
new file mode 100644
index 000000000..d96c2c800
--- /dev/null
+++ b/src/Http/Middleware/SharedHosts.php
@@ -0,0 +1,35 @@
+<?php
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Http\Middleware;
+
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Zend\Stratigility\MiddlewareInterface;
+
+class SharedHosts implements MiddlewareInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function __invoke(Request $request, Response $response, callable $out = null)
+    {
+        $SERVER = $request->getServerParams();
+
+        // CGI wrap may not pass on the Authorization header.
+        // In that case, the web server can be configured
+        // to pass its value in an env variable instead.
+        if (isset($SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+            $request = $request->withHeader('authorization', $SERVER['REDIRECT_HTTP_AUTHORIZATION']);
+        }
+
+        return $out ? $out($request, $response) : $response;
+    }
+}