From f96d56120adb5308dcdb8cb78dd56696a8c1aeed Mon Sep 17 00:00:00 2001
From: Quentin RIBAC <quentin.ribac@xelians.fr>
Date: Wed, 6 Oct 2021 14:23:19 +0200
Subject: [PATCH] FIX #18385 TIME 1 using
 AuthenticationController::authenticate() if no Basic Auth provided

---
 rest/index.php                                    |  5 ++++-
 src/core/controllers/AuthenticationController.php | 12 ++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/rest/index.php b/rest/index.php
index 148d1032198..653b80ddecf 100755
--- a/rest/index.php
+++ b/rest/index.php
@@ -45,7 +45,10 @@ $app->add(function (\Slim\Http\Request $request, \Slim\Http\Response $response,
                     }
                 }
             } else {
-                return $response->withStatus(401)->withJson(['errors' => 'Authentication Failed']);
+                $response = \SrcCore\controllers\AuthenticationController::authenticate($request, $response);
+                if ($response->getStatusCode() != 204) {
+                    return $response;
+                }
             }
         }
     }
diff --git a/src/core/controllers/AuthenticationController.php b/src/core/controllers/AuthenticationController.php
index a5424378dfa..88b133dc971 100755
--- a/src/core/controllers/AuthenticationController.php
+++ b/src/core/controllers/AuthenticationController.php
@@ -256,7 +256,7 @@ class AuthenticationController
         return true;
     }
 
-    public function authenticate(Request $request, Response $response)
+    public static function authenticate(Request $request, Response $response)
     {
         $body = $request->getParsedBody();
 
@@ -340,8 +340,7 @@ class AuthenticationController
         UserController::setAbsences();
         $user = UserModel::getByLowerLogin(['login' => $login, 'select' => ['id', 'refresh_token', 'user_id']]);
 
-        $GLOBALS['id'] = $user['id'];
-        $GLOBALS['login'] = $user['user_id'];
+        \SrcCore\controllers\CoreController::setGlobals(['userId' => $user['id']]);
 
         $user['refresh_token'] = json_decode($user['refresh_token'], true);
         foreach ($user['refresh_token'] as $key => $refreshToken) {
@@ -567,11 +566,8 @@ class AuthenticationController
             return ['errors' => 'Sso configuration missing : no login mapping'];
         }
 
-        if (in_array(strtoupper($mapping['login']), ['REMOTE_USER', 'PHP_AUTH_USER'])) {
-            $login = $_SERVER[strtoupper($mapping['login'])] ?? null;
-        } else {
-            $login = $_SERVER['HTTP_' . strtoupper($mapping['login'])] ?? null;
-        }
+        $headers = apache_request_headers();
+        $login = $headers[$mapping['login']] ?? '';
         if (empty($login)) {
             return ['errors' => 'Authentication Failed : login not present in header'];
         }
-- 
GitLab