Issues when using HTTP BASIC Auth on EnvironmentChecker.php

[robertvanlienden]

Hi there,

I've found 2 issues in this module touching the BASIC AUTH.

Details about environment

Running this module on;

• PHP 7.2
• Apache

Readme

1. The example in the README does not work. In the original README there are double-quotes added.
   But the double-quotes are not needed, the example below is the right way to add this environment variables;

ENVCHECK_BASICAUTH_USERNAME=test
ENVCHECK_BASICAUTH_PASSWORD=password

For some reason Environment::getEnv('ENVCHECK_BASICAUTH_USERNAME') returns "test" and Environment::getEnv('ENVCHECK_BASICAUTH_USERNAME') will return "password".

In the README update PR I've created, there was a comment mentioning https://github.com/m1/Env#env-example. Quotes around .env variables should be allowed.

Wierd issue, needs further investigation.

$_SERVER['PHP_AUTH_PW'] and $_SERVER['PHP_AUTH_USER']

2. $_SERVER['PHP_AUTH_PW'] and $_SERVER['PHP_AUTH_USER'] checks in EnvironmentChecker.php -> init method are not working

For some reason, when I check on the variables above, I've keep getting the "basic auth form" and logging in.
Did some investigation, and the variables are just not available.

When I'm adding a $request = $this->getRequest(); and then use $request->getHeader('PHP_AUTH_USER') and $request->getHeader('PHP_AUTH_PW') the basic login works.

And now?

I'm willing to create a PR later, but right now I just don't have time to fix this and create a PR.
Because I've found this issue and I think its important to fix this, I've created a Issue to make sure this is documented somewhere.

Work-around;
For now, I've created a custom HealthCheck controller that doesn't involve the init method on the EnvironentChecker.
This way I can use my own basic authentication logic in my own controller.

[robertvanlienden]

Update on README;
#74
PR closed because the quotes should be supported by .env https://github.com/m1/Env#env-example (Thanks @dhensby for your comment on the PR)

Created the PR above to fix the readme.

Update on $_SERVER['PHP_AUTH_PW'] and $_SERVER['PHP_AUTH_USER'] variables;

Found this comment on http-auth on php.net suggesting a work around to use this variable; SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 in the Apache configuration.

Now I'm not sure if we should replace the $_SERVER['PHP_AUTH_PW'] and $_SERVER['PHP_AUTH_PW'] variables.

But I found out that SilverStripe BasicAuth relies on $request->getHeader('PHP_AUTH_USER') and $request->getHeader('PHP_AUTH_PW') variables.
🤔 I can't make a choice.

[emteknetnz]

I've tested this locally using a CMS 5.3 install and there no longer appears to be any issue with either of these. The env variable quoting works correctly with and without double quotes, and the basic auth works as I'd expect it to when accessing dev/check

[sig-peggy]

The second issue

$_SERVER['PHP_AUTH_PW'] and $_SERVER['PHP_AUTH_USER'] checks in EnvironmentChecker.php -> init method are not working

is still a problem for me on a CMS 5.3 install (after working around the open #92 problem)