Notice: Undefined offset: 1 in restws_basic_auth_init()

Are you using Apache + PHP as CGI/FCGI? What other information can you provide?

I'm getting the same Notice, and as a result am re-opening this issue. While I don't have replication steps as it involves an internal service, the provided patch simply checks that the decoded/exploded value actually has the parts necessary to fill in PHP_AUTH_USER and PHP_AUTH_PW before calling list().

+++ b/restws_basic_auth/restws_basic_auth.module
@@ -17,7 +17,11 @@ function restws_basic_auth_init() {
     $authentication = base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6));
-    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', $authentication);
+    $bits = explode(':', $authentication);
+
+    if (count($bits) === 2) {

We should understand this more. Why does REDIRECT_HTTP_AUTHORIZATION not have 2 bits?

I've contacted the engineering team who ran into this for more information - for context this is only happening on a webhook endpoint used by an internal tool. Since I don't work on that tool I can't be sure, but I would guess that the authorization used for the endpoint is not Basic auth (or is encoded with something other than base64_encode).

When "substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)" is called, it is assume that the first 6 characters are always "Basic", but that may not always be the case. Perhaps instead of this patch we could use regex and remove the substr call in a method similar to this:

if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {
    list($name, $password) = explode(':', base64_decode($matches[1]));
    $_SERVER['PHP_AUTH_USER'] = $name;
    $_SERVER['PHP_AUTH_PW'] = $password;
}

(modified from http://php.net/manual/en/features.http-auth.php#106285)

@lokapujya I reached out to engineering team, they are indeed not using base64 encoding for authorization, which is why there's an incompatibility with this hook_init implementation.

We ran into this issue while trying to use OAuth2 authentication on a site that also had restws_basic_auth installed.

I synthesized @samuel.mortenson's ideas into a new patch, attached.

This isn't tested yet... will try to test today and share results.

I've tested the patch in #9 alongside the RESTful Web Services OAuth2 Server Integration module: https://www.drupal.org/project/restws_oauth2_server

Before the patch, the restws_basic_auth module is too heavy-handed in its hook_init() and causes the restws_oauth2_server module to fail during OAuth authentication. After the patch, both work: I can authenticate via OAuth2 and via Basic Auth.

+++ b/restws_basic_auth/restws_basic_auth.module
@@ -13,11 +13,15 @@
+    if (preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {

Might be nitpicky but we should use ^ here to make sure "Basic" is at the start of the string, i.e. "/^Basic"

Updated patch attached.

LGTM