IBX-5243: Respect header setting for AuthorizationHeaderRESTRequestMatcher

Author: Steveb-p

src/bundle/DependencyInjection/Compiler/LexikAuthorizationHeaderBridgePass.php

@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Bundle\Rest\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+final class LexikAuthorizationHeaderBridgePass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        if (!$container->hasDefinition('lexik_jwt_authentication.extractor.authorization_header_extractor')) {
+            return;
+        }
+
+        $definition = $container->getDefinition('lexik_jwt_authentication.extractor.authorization_header_extractor');
+        $headerName = $definition->getArgument(1);
+
+        $container->setParameter('ibexa.rest.authorization_header_name', $headerName);
+    }
+}

src/bundle/IbexaRestBundle.php

@@ -25,6 +25,10 @@ public function build(ContainerBuilder $container)
         /** @var \Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension $securityExtension */
         $securityExtension = $container->getExtension('security');
         $securityExtension->addSecurityListenerFactory(new RestSessionBasedFactory());
+
+        if ($container->hasExtension('lexik_jwt_authentication')) {
+            $container->addCompilerPass(new Compiler\LexikAuthorizationHeaderBridgePass());
+        }
     }
 }
 

src/bundle/Resources/config/security.yml

@@ -1,4 +1,6 @@
 parameters:
+    ibexa.rest.authorization_header_name: ~
+
 services:
     # Following service will be aliased at compile time to "ezpublish_rest.session_authenticator" by the Security factory.
     ibexa.rest.security.authentication.listener.session:
@@ -12,7 +14,9 @@ services:
             - "@?logger"
         abstract: true
 
-    Ibexa\Contracts\Rest\Security\AuthorizationHeaderRESTRequestMatcher: ~
+    Ibexa\Contracts\Rest\Security\AuthorizationHeaderRESTRequestMatcher:
+        arguments:
+            $headerName: '%ibexa.rest.authorization_header_name%'
 
     Ibexa\Rest\Server\Security\RestLogoutHandler:
         arguments:

src/contracts/Security/AuthorizationHeaderRESTRequestMatcher.php

@@ -13,6 +13,22 @@
 
 final class AuthorizationHeaderRESTRequestMatcher extends RequestMatcher
 {
+    private ?string $headerName;
+
+    public function __construct(
+        ?string $headerName = null,
+        string $path = null,
+        string $host = null,
+        $methods = null,
+        $ips = null,
+        array $attributes = [],
+        $schemes = null,
+        int $port = null
+    ) {
+        parent::__construct($path, $host, $methods, $ips, $attributes, $schemes, $port);
+        $this->headerName = $headerName;
+    }
+
     public function matches(Request $request): bool
     {
         if ($request->attributes->get('is_rest_request', false) !== true) {
@@ -21,7 +37,7 @@ public function matches(Request $request): bool
 
         if (
             $request->attributes->get('_route') === 'ibexa.rest.create_token'
-            || !empty($request->headers->get('Authorization'))
+            || !empty($request->headers->get($this->headerName ?? 'Authorization'))
         ) {
             return parent::matches($request);
         }

tests/contracts/Security/AuthorizationHeaderRESTRequestMatcherTest.php

@@ -25,7 +25,7 @@ public function testDoesNotMatchRestRequestsWithoutHeader(): void
     {
         $matcher = new AuthorizationHeaderRESTRequestMatcher();
 
-        $request = new Request([], [], [
+        $request = $this->createRequest([
             'is_rest_request' => true,
         ]);
 
@@ -36,24 +36,46 @@ public function testMatchesRestRequestsWithHeader(): void
     {
         $matcher = new AuthorizationHeaderRESTRequestMatcher();
 
-        $request = new Request([], [], [
+        $request = $this->createRequest([
             'is_rest_request' => true,
-        ], [], [], [
+        ], [
             'HTTP_AUTHORIZATION' => 'Bearer foo',
         ]);
 
         self::assertTrue($matcher->matches($request));
     }
 
+    public function testMatchesRestRequestsWithCustomHeader(): void
+    {
+        $matcher = new AuthorizationHeaderRESTRequestMatcher('X-Foo');
+
+        $request = $this->createRequest([
+            'is_rest_request' => true,
+        ], [
+            'HTTP_X-FOO' => 'Bearer foo',
+        ]);
+
+        self::assertTrue($matcher->matches($request));
+    }
+
     public function testMatchesRestJwtCreationEndpoint(): void
     {
         $matcher = new AuthorizationHeaderRESTRequestMatcher();
 
-        $request = new Request([], [], [
+        $request = $this->createRequest([
             'is_rest_request' => true,
             '_route' => 'ibexa.rest.create_token',
         ]);
 
         self::assertTrue($matcher->matches($request));
     }
+
+    /**
+     * @param array<string, mixed> $attributes
+     * @param array<string, array<string>|string> $server
+     */
+    private function createRequest(array $attributes = [], array $server = []): Request
+    {
+        return new Request([], [], $attributes, [], [], $server);
+    }
 }