AuthX: Breaks sites when Basic Auth is enabled
Overview
AuthX completely breaks any site with Basic Auth enabled, displaying "401 Invalid Credential".
Reproduction steps
- Enable AuthX and basic authentication on your site. Apache documentation suggests this is as simple as adding
AuthBasicFake demo demopass
to your config. Drupal 8+ also has a "Basic Authentication" module in core. - Alternatively, just enable AuthX and access via curl, e.g.
curl https://a:b@dmaster.demo.civicrm.org/civicrm
Current behaviour
All CiviCRM pages error out with "401 Invalid Credential".
Expected behaviour
Normal page loading behavior.
Comments
This happens because authx.php calls an anonymous function on the civi.invoke.auth
listener with these lines:
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'header', 'cred' => $_SERVER['HTTP_AUTHORIZATION'], 'siteKey' => $siteKey]);
}
$_SERVER['HTTP_AUTHORIZATION']
is populated when Basic Auth is in use, and will never find the principal. No amount of removing AuthX guards or ignoring user accounts will fix this.
Either AuthX shouldn't support the Authorization:
HTTP header or it should be possible to disable it.