From 6ae5babc4641965a7095160d7ad174f8c10d3b18 Mon Sep 17 00:00:00 2001 From: Eduard Wisch Date: Wed, 8 Apr 2026 23:27:26 +0200 Subject: [PATCH] fix: photo.php liest Authorization-Header robuster (Apache-kompatibel) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manche Apache-Setups (Prod!) leiten den Authorization-Header nicht als HTTP_AUTHORIZATION in $_SERVER weiter. Jetzt wird zusätzlich REDIRECT_HTTP_AUTHORIZATION und apache_request_headers() geprüft. Fallback: ?jwt= als Query-Param akzeptieren (wird von der PWA jetzt standardmäßig mitgesendet für -kompatible URLs). Co-Authored-By: Claude Opus 4.6 (1M context) [deploy] --- api/photo.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/api/photo.php b/api/photo.php index f80f4c7..054901d 100644 --- a/api/photo.php +++ b/api/photo.php @@ -34,9 +34,16 @@ require_once __DIR__.'/../lib/bericht.lib.php'; // Support Token via Header ODER Query-String (für ohne Header) $token_str = ''; -$hdr = $_SERVER['HTTP_AUTHORIZATION'] ?? ''; +$hdr = $_SERVER['HTTP_AUTHORIZATION'] ?? ($_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? ''); +if (!$hdr && function_exists('apache_request_headers')) { + $h = apache_request_headers(); + foreach ($h as $k => $v) { + if (strcasecmp($k, 'Authorization') === 0) { $hdr = $v; break; } + } +} if ($hdr && stripos($hdr, 'bearer ') === 0) $token_str = trim(substr($hdr, 7)); if (!$token_str && !empty($_GET['jwt'])) $token_str = (string) $_GET['jwt']; +if (!$token_str && !empty($_GET['token']) && preg_match('/^[A-Za-z0-9_.-]+$/', $_GET['token'])) $token_str = $_GET['token']; $payload = $token_str ? bericht_jwt_decode($token_str) : null; if (!$payload || empty($payload['sub'])) {