View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007918 | GraphQL Base | General | public | 2026-03-27 11:44 | 2026-04-08 08:40 |
| Reporter | OxidSimonGassenschmidt | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | have not tried |
| Status | confirmed | Resolution | open | ||
| Product Version | v12.0.0 | ||||
| Summary | 0007918: Misleading error message when Authorization header is stripped by Apache | ||||
| Description | Misleading error message when Authorization header is stripped by Apache When Apache strips the Authorization header before it reaches PHP (a common default configuration), all #[Logged] endpoints return: "You need to be logged to access this field" This is the same error message regardless of whether: No token was sent An invalid token was sent A valid token was sent but the header was stripped by the webserver The module should differentiate between: No Authorization header present use current anonymous fallback is acceptable Authorization header present but token invalid use specific error, e.g. "Invalid or expired token" Authorization header absent despite being expected use ideally a hint that the header may be stripped by the webserver At minimum, when a Bearer token is provided but cannot be parsed (because the header was silently dropped), the error should differ from the anonymous-user case. Suggested Improvements Documentation: Add the .htaccess RewriteRule to the installation docs as a required step for Apache environments. This is a well-known Apache/PHP issue but not obvious for OXID module developers debugging "You need to be logged" errors. Error differentiation: In RequestReader::getAuthToken(), if no Authorization header is found, check for REDIRECT_HTTP_AUTHORIZATION and HTTP_AUTHORIZATION server variables as fallback. If none are present, consider setting a flag that distinguishes "no auth attempted" from "auth attempted but failed". Environment OXID eShop 7.4.x graphql-base 12.0.1 Apache with mod_rewrite (Docker SDK setup) PHP-FPM | ||||
| Steps To Reproduce | Install OXID eShop with graphql-base Do NOT add the following .htaccess rule (which is not documented as required): RewriteCond %{HTTP:Authorization} . RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] Authenticate: query { token(username: "[email protected]", password: "admin") } Call any #[Logged] endpoint with Authorization: Bearer {token} Receive "You need to be logged" — identical to calling without any token | ||||
| Tags | No tags attached. | ||||
