Laravel in Apache getting header value

Question

I have the following piece of code in Laravel BaseController. I want to protect all my api resources with an Authorization header with a token.

  public function __construct()
  {
    $this->beforeFilter('@getUserFromToken');
  }

  public function getUserFromToken($route, $request)
  {
    $accessToken = Request::header('Authorization');
    if(!empty($accessToken)){
      $this->currentUser = User::findByToken($accessToken);
    }else{
      return Request::header('Authorization'); //THE PROBLEM
      return Response::json(['error'=>'Not authorized. Access token needed in Header.Authorization'], 403);
    }
  }

Here is my .htaccess if that's relevant.

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Redirect Trailing Slashes...
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

So if I have the marked problem line, Apache will read everything perfectly. And I will get my responses back and not getting the 403. However, if I don't have that line, I will get 403 error with my custom error message. WHY? Obviously I am using the same code $this->currentUser = User::findByToken($accessToken);, why by leaving the marked line I'll be able to get the header? Is there a redirect happening behind the scene that sets the Authorization header somehow only the second time? Is there a setting that I missed for apache to pick up the header the first time?

UPDATE: I guess my question is: if I just return Response::json(['error'=>'Not authorized. Access token needed in Header.Authorization'], 403);, I will always get this error json. And my $accessToken will always be empty. Why?

MORE UPDATE: Looks like I shouldn't reuse Authorization Header? I tried:

$accessToken = Request::header('Custom-Token');
if(!empty($accessToken)){
  $this->currentUser = User::findByToken($accessToken);
}else{
  return Response::json(['error'=>'Not authorized. Access token needed in Header.Authorization'], 403);
}

And this time I'm able to get the real token. My question still stands then, why can I return the "magical" header and suddenly get it in Laravel?

This related question didn't answer it, but pointed me to the right direction: laravel 4: why is Request::header() not getting the specified header?

One more thing: the Authorization header does work without the magic return if I serve use php artisan serve, which uses php dev server.

Answer 1

It is a Laravel & Apache problem, this line in public/.htaccess fixed it for me:

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

The fix is from https://github.com/dingo/api/issues/54