From e3502d0cd4bf633b3c6be4860206e911ca6addec Mon Sep 17 00:00:00 2001 From: Abhishek Kaushik Date: Wed, 22 Apr 2026 15:08:51 +0200 Subject: [PATCH 1/2] Add custom Auth header --- inc/authentication/namespace.php | 58 +++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 9 deletions(-) diff --git a/inc/authentication/namespace.php b/inc/authentication/namespace.php index aa6aa8e..63c0617 100644 --- a/inc/authentication/namespace.php +++ b/inc/authentication/namespace.php @@ -46,17 +46,57 @@ function get_authorization_header() { * @return string|null Token on success, null on failure. */ function get_provided_token() { - $header = get_authorization_header(); - if ( $header ) { - return get_token_from_bearer_header( $header ); - } + // Prefer the standard Authorization header. Only if it is missing or + // does not contain a bearer token (e.g. a proxy has injected Basic + // auth), fall back to the non-standard X-Authorization header. + $header = get_authorization_header(); + if ( $header ) { + $token = get_token_from_bearer_header( $header ); + if ( $token ) { + return $token; + } + } + + $alt_header = get_custom_authorization_header(); + if ( $alt_header ) { + $token = get_token_from_bearer_header( $alt_header ); + if ( $token ) { + return $token; + } + } + + $token = get_token_from_request(); + if ( $token ) { + return $token; + } + + return null; +} + +/** + * Get the X-Authorization header. + * + * Used when the standard Authorization header is consumed by a proxy + * layer (e.g. Imperva HTTP Basic Auth). + * + * @return string|null Header value if set, null otherwise. + */ +function get_custom_authorization_header() { + if ( ! empty( $_SERVER['HTTP_X_AUTHORIZATION'] ) ) { + return wp_unslash( $_SERVER['HTTP_X_AUTHORIZATION'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + } - $token = get_token_from_request(); - if ( $token ) { - return $token; - } + if ( function_exists( 'getallheaders' ) ) { + $headers = getallheaders(); - return null; + foreach ( $headers as $key => $value ) { + if ( strtolower( $key ) === 'x-authorization' ) { + return $value; + } + } + } + + return null; } /** From 08deba69f164f47963cd4d868605d06081bac90a Mon Sep 17 00:00:00 2001 From: Abhishek Kaushik Date: Tue, 12 May 2026 15:03:26 +0530 Subject: [PATCH 2/2] Use filter for alternative Authorization header --- inc/authentication/namespace.php | 41 +++++++++----------------------- 1 file changed, 11 insertions(+), 30 deletions(-) diff --git a/inc/authentication/namespace.php b/inc/authentication/namespace.php index 63c0617..02e7d63 100644 --- a/inc/authentication/namespace.php +++ b/inc/authentication/namespace.php @@ -46,9 +46,6 @@ function get_authorization_header() { * @return string|null Token on success, null on failure. */ function get_provided_token() { - // Prefer the standard Authorization header. Only if it is missing or - // does not contain a bearer token (e.g. a proxy has injected Basic - // auth), fall back to the non-standard X-Authorization header. $header = get_authorization_header(); if ( $header ) { $token = get_token_from_bearer_header( $header ); @@ -57,7 +54,17 @@ function get_provided_token() { } } - $alt_header = get_custom_authorization_header(); + /** + * Provide an alternative authorization header value. + * + * Use this filter when the standard Authorization header is consumed by a + * proxy or server layer (e.g. Imperva HTTP Basic Auth). Return the raw + * header value (e.g. "Bearer ") to have it parsed as a bearer token. + * Return null to skip the fallback entirely. + * + * @param string|null $header Raw header value, or null to skip. + */ + $alt_header = apply_filters( 'oauth2.authentication.alternative_authorization_header', null ); if ( $alt_header ) { $token = get_token_from_bearer_header( $alt_header ); if ( $token ) { @@ -73,32 +80,6 @@ function get_provided_token() { return null; } -/** - * Get the X-Authorization header. - * - * Used when the standard Authorization header is consumed by a proxy - * layer (e.g. Imperva HTTP Basic Auth). - * - * @return string|null Header value if set, null otherwise. - */ -function get_custom_authorization_header() { - if ( ! empty( $_SERVER['HTTP_X_AUTHORIZATION'] ) ) { - return wp_unslash( $_SERVER['HTTP_X_AUTHORIZATION'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized - } - - if ( function_exists( 'getallheaders' ) ) { - $headers = getallheaders(); - - foreach ( $headers as $key => $value ) { - if ( strtolower( $key ) === 'x-authorization' ) { - return $value; - } - } - } - - return null; -} - /** * Extracts the token from the given authorization header. *