fix error when using CORS with no auth credentials
This commit is contained in:
parent
739bbc27c0
commit
9cfd0b123d
|
@ -83,14 +83,13 @@ class CORSMiddleware extends Middleware {
|
|||
public function beforeController($controller, $methodName) {
|
||||
// ensure that @CORS annotated API routes are not used in conjunction
|
||||
// with session authentication since this enables CSRF attack vectors
|
||||
if ($this->reflector->hasAnnotation('CORS') &&
|
||||
!$this->reflector->hasAnnotation('PublicPage')) {
|
||||
$user = $this->request->server['PHP_AUTH_USER'];
|
||||
$pass = $this->request->server['PHP_AUTH_PW'];
|
||||
if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
|
||||
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
|
||||
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
|
||||
|
||||
$this->session->logout();
|
||||
try {
|
||||
if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
|
||||
if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
|
||||
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
|
||||
}
|
||||
} catch (PasswordLoginForbiddenException $ex) {
|
||||
|
|
Loading…
Reference in New Issue