Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Each time I try to Auth against the drupal rest server I'm getting this error within drupal reports along with a 403 response from the server.
Notice: Undefined offset: 1 in restws_basic_auth_init() (line 20 of /www/sites/all/modules/restws/restws_basic_auth/restws_basic_auth.module).
The 403 I'm getting is
403 Access Denied: CSRF validation failed
Im using basic auth and passed a restws username and password with each request.
Comment | File | Size | Author |
---|---|---|---|
#12 | restws-auth-check-2490416-12.patch | 1.38 KB | m.stenta |
#9 | restws-auth-check-2490416-9.patch | 1.38 KB | m.stenta |
#5 | restws-auth-check-2490416-5.patch | 981 bytes | samuel.mortenson |
Comments
Comment #1
Media Crumb CreditAttribution: Media Crumb commentedComment #2
lokapujyaAre you using Apache + PHP as CGI/FCGI? What other information can you provide?
Comment #3
Media Crumb CreditAttribution: Media Crumb commentedI switch to tokens and all is well
Comment #4
Media Crumb CreditAttribution: Media Crumb commentedComment #5
samuel.mortensonI'm getting the same Notice, and as a result am re-opening this issue. While I don't have replication steps as it involves an internal service, the provided patch simply checks that the decoded/exploded value actually has the parts necessary to fill in PHP_AUTH_USER and PHP_AUTH_PW before calling list().
Comment #6
lokapujyaWe should understand this more. Why does REDIRECT_HTTP_AUTHORIZATION not have 2 bits?
Comment #7
samuel.mortensonI've contacted the engineering team who ran into this for more information - for context this is only happening on a webhook endpoint used by an internal tool. Since I don't work on that tool I can't be sure, but I would guess that the authorization used for the endpoint is not Basic auth (or is encoded with something other than base64_encode).
When "substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)" is called, it is assume that the first 6 characters are always "Basic", but that may not always be the case. Perhaps instead of this patch we could use regex and remove the substr call in a method similar to this:
(modified from http://php.net/manual/en/features.http-auth.php#106285)
Comment #8
samuel.mortenson@lokapujya I reached out to engineering team, they are indeed not using base64 encoding for authorization, which is why there's an incompatibility with this hook_init implementation.
Comment #9
m.stentaWe ran into this issue while trying to use OAuth2 authentication on a site that also had
restws_basic_auth
installed.I synthesized @samuel.mortenson's ideas into a new patch, attached.
This isn't tested yet... will try to test today and share results.
Comment #10
m.stentaI've tested the patch in #9 alongside the RESTful Web Services OAuth2 Server Integration module: https://www.drupal.org/project/restws_oauth2_server
Before the patch, the
restws_basic_auth
module is too heavy-handed in itshook_init()
and causes therestws_oauth2_server
module to fail during OAuth authentication. After the patch, both work: I can authenticate via OAuth2 and via Basic Auth.Comment #11
samuel.mortensonMight be nitpicky but we should use ^ here to make sure "Basic" is at the start of the string, i.e. "/^Basic"
Comment #12
m.stentaUpdated patch attached.
Comment #13
samuel.mortensonLGTM