Some deployments may have two layers of authorization:
(1) A generic/site-wide HTTP basic check (perhaps to prevent search-engines
from finding the site; perhaps enforced by a reverse proxy)
(2) A Civi or CMS credential (eg session-cookie, ?_authx, or X-Civi-Auth:)
Authx sits in layer 2. It should enable HTTP `Authorization:` handling
if-and-only-if there is NOT a pre-existing `Authorization:` mechanism.
To test this, I enabled the extension over APIv3 REST -- with/without a superfluous header:
```
curl -X POST -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \
'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php'
curl -X POST -H 'Authorization: Bearer superfluous' -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \
'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php'
```
*/
function authx_civicrm_install() {
_authx_civix_civicrm_install();
+
}
/**
*/
function authx_civicrm_enable() {
_authx_civix_civicrm_enable();
+ // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then
+ // it's probably an extra/independent layer of security.
+ // Only activate support for `Authorization:` if this looks like a clean/amenable environment.
+ // @link https://github.com/civicrm/civicrm-core/pull/22837
+ if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi::settings()->getExplicit('authx_header_cred')) {
+ Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']);
+ }
}
/**
$s['authx_legacyrest_cred']['default'] = ['jwt', 'api_key'];
$s['authx_legacyrest_user']['default'] = 'require';
$s['authx_param_cred']['default'] = ['jwt', 'api_key'];
- $s['authx_header_cred']['default'] = ['jwt', 'api_key'];
+ $s['authx_header_cred']['default'] = []; /* @see \authx_civicrm_install() */
$s['authx_xheader_cred']['default'] = ['jwt', 'api_key'];
$s['authx_pipe_cred']['default'] = ['jwt', 'api_key'];