Authorization is now X-Signature #9696

So we can still use `Authorization` header for authentification (eg: via token bearer), in addition of signature.
Ecodev · Jul 25, 2023 · 433ac3e · 433ac3e
1 parent 27e9dba
commit 433ac3e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/src/Middleware/SignedQueryMiddleware.php b/src/Middleware/SignedQueryMiddleware.php
@@ -13,7 +13,7 @@
 use Psr\Http\Server\RequestHandlerInterface;
 
 /**
- * Validate that the GraphQL query contains a valid signature in the `Authorization` HTTP header.
+ * Validate that the GraphQL query contains a valid signature in the `X-Signature` HTTP header.
  *
  * The signature payload is the GraphQL operation (or operations in case of batching). That means that the query itself
  * and the variables are signed. But it specifically does **not** include uploaded files.
@@ -52,23 +52,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
     private function verify(ServerRequestInterface $request): void
     {
-        $autorization = $request->getHeader('authorization')[0] ?? '';
-        if (!$autorization) {
+        $signature = $request->getHeader('X-Signature')[0] ?? '';
+        if (!$signature) {
             if ($this->isAllowedIp($request)) {
                 return;
             }
 
-            throw new Exception('Missing `Authorization` HTTP header in signed query', 403);
+            throw new Exception('Missing `X-Signature` HTTP header in signed query', 403);
         }
 
-        if (preg_match('~^v1\.(?<timestamp>\d{10})\.(?<hash>[0-9a-f]{64})$~', $autorization, $m)) {
+        if (preg_match('~^v1\.(?<timestamp>\d{10})\.(?<hash>[0-9a-f]{64})$~', $signature, $m)) {
             $timestamp = $m['timestamp'];
             $hash = $m['hash'];
 
             $this->verifyTimestamp($timestamp);
             $this->verifyHash($request, $timestamp, $hash);
         } else {
-            throw new Exception('Invalid `Authorization` HTTP header in signed query', 403);
+            throw new Exception('Invalid `X-Signature` HTTP header in signed query', 403);
         }
     }
 

diff --git a/tests/Middleware/SignedQueryMiddlewareTest.php b/tests/Middleware/SignedQueryMiddlewareTest.php
@@ -53,7 +53,7 @@ private function process(array $keys, bool $required, string $ip, string $body,
         $request = $request->withBody(new CallbackStream(fn () => $body))->withParsedBody($parsedBody);
 
         if ($signature) {
-            $request = $request->withHeader('Authorization', $signature);
+            $request = $request->withHeader('X-Signature', $signature);
         }
 
         $handler = $this->createMock(RequestHandlerInterface::class);
@@ -162,15 +162,15 @@ public function dataProviderQuery(): iterable
             '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}',
             null,
             '',
-            'Missing `Authorization` HTTP header in signed query',
+            'Missing `X-Signature` HTTP header in signed query',
         ];
 
         yield 'invalid header' => [
             [$key1],
             '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}',
             null,
             'foo',
-            'Invalid `Authorization` HTTP header in signed query',
+            'Invalid `X-Signature` HTTP header in signed query',
         ];
 
         yield 'no graphql operations' => [