From e62bef1158574a43d4aa945b6e842fc1468e94bc Mon Sep 17 00:00:00 2001
From: Wilfried JEANNIARD <w.jeanniard@dispojob.com>
Date: Mon, 11 May 2020 16:37:12 +0200
Subject: [PATCH] Fix Authorization header

---
 src/HttpBasicAuthentication.php   | 11 +++++++----
 tests/BasicAuthenticationTest.php | 29 +++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/HttpBasicAuthentication.php b/src/HttpBasicAuthentication.php
index 8a39456..35b71a4 100644
--- a/src/HttpBasicAuthentication.php
+++ b/src/HttpBasicAuthentication.php
@@ -123,10 +123,13 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         /* Just in case. */
         $params = ["user" => null, "password" => null];
 
-        if (preg_match("/Basic\s+(.*)$/i", $request->getHeaderLine("Authorization"), $matches)) {
-            $explodedCredential = explode(":", base64_decode($matches[1]), 2);
-            if (count($explodedCredential) == 2) {
-                list($params["user"], $params["password"]) = $explodedCredential;
+        $authheader = explode(",", $request->getHeaderLine("Authorization"));
+        foreach ($authheader as $h) {
+            if (preg_match("/Basic\s+(.*)$/i", $h, $matches)) {
+                $explodedCredential = explode(":", base64_decode($matches[1]), 2);
+                if (count($explodedCredential) == 2) {
+                    list($params["user"], $params["password"]) = $explodedCredential;
+                }
             }
         }
 
diff --git a/tests/BasicAuthenticationTest.php b/tests/BasicAuthenticationTest.php
index 0edb15b..206c6a0 100644
--- a/tests/BasicAuthenticationTest.php
+++ b/tests/BasicAuthenticationTest.php
@@ -120,6 +120,35 @@ public function testShouldReturn200WithPassword()
         $this->assertEquals("Success", $response->getBody());
     }
 
+    public function testShouldReturn200WithMultipleHeaders()
+    {
+        $request = (new ServerRequestFactory)
+            ->createServerRequest("GET", "https://example.com/admin/item")
+            ->withHeader("Authorization", "Basic cm9vdDp0MDBy,Basic cm9vdDp0MDBy");
+
+        $response = (new ResponseFactory)->createResponse();
+
+        $auth = new HttpBasicAuthentication([
+            "path" => "/admin",
+            "realm" => "Protected",
+            "users" => [
+                "root" => "t00r",
+                "user" => "passw0rd"
+            ]
+        ]);
+
+        $next = function (ServerRequestInterface $request, ResponseInterface $response) {
+            $response->getBody()->write("Success");
+            return $response;
+        };
+
+        $response = $auth($request, $response, $next);
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals("Success", $response->getBody());
+    }
+
+
     public function testShouldReturn200WithOptions()
     {
         $request = (new ServerRequestFactory)