Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Accessing 'Authorization' custom request headers


I'm trying to access custom request headers in a Micro application (REST api) and I can't seem to access some of them.

I'm using $app->request->getHeader('My-Custom-Header');

but it returns an empty string for one of my headers.

I'm just using CURL to test this at the moment. I've looked at this post here but unfortunately I'm not using NGINX.

The curl request is as follows:

curl -H"Authorization:Bearer 12345" -H"foo:foo"

Phalcon doesn't see 'Authorization' but it will print 'foo'

What's even more interesting though is that if I call var_dump(getallheaders()) so using PHP's native function, the Authorization header is present, implying to me it isn't an issue with the Apache or php configuration (though I could obviously be wrong).

Any thoughts anyone?


edited Jan '16

So it turns out that PHP only parses the Authorization header for Basic and Digest.

The solution suggested on is to have Apache rewrite the header to essentially prefix "HTTP_" which will then allow PHP to parse it properly.

RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I couldn't get the rewrite rule to work, but I suppose if I'm the only one consuming my api I can call the header something else for now. Annoying though to say the least

edited Jan '16

I'm using OAuth2 with that header.

Nginx (deafult config, no tweaks), and with Phalcon it works like that $this->request->getHeader("Authorization").

With Apache2, i've added in virtualhost node of config these strings (together with deafult for Phalcon of course):

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

And it works too the same way. Did you try this?

ps: even if you have no access to server configuration, OAuth2 specs (and OAuth2 libs like that allows clients to pass access_token in query parameter (not header) with any http method.

Phalcon will access it w/o any issue if your web server sends them.

In case of API headers for security, HMAC digest etc. you'd need to enable underscore in headers to be forwared as well.

For Nginx: