Author: Shivam Mathur (shivammathur)
Date: 2026-04-02T06:55:31+05:30
Commit:
https://github.com/php/web-downloads/commit/20fc1575519d8f7378528ac28890d80cd2f4900d
Raw diff:
https://github.com/php/web-downloads/commit/20fc1575519d8f7378528ac28890d80cd2f4900d.diff
Fix auth failing open when AUTH_TOKEN is unset
Changed paths:
M src/Auth.php
M tests/AuthTest.php
Diff:
diff --git a/src/Auth.php b/src/Auth.php
index a352928..d9e8f95 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -7,9 +7,14 @@ class Auth
{
public function authenticate(): bool
{
+ $expectedToken = (string) getenv('AUTH_TOKEN');
+ if ($expectedToken === '') {
+ return false;
+ }
+
$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
$authToken = str_replace('Bearer ', '', $authHeader);
- return hash_equals((string) getenv('AUTH_TOKEN'), $authToken);
+ return hash_equals($expectedToken, $authToken);
}
}
diff --git a/tests/AuthTest.php b/tests/AuthTest.php
index b666da7..6dd652f 100644
--- a/tests/AuthTest.php
+++ b/tests/AuthTest.php
@@ -25,4 +25,18 @@ public function testAuthenticateWithNoToken() {
$auth = new Auth();
$this->assertFalse($auth->authenticate(), 'Authentication should fail
with no token provided.');
}
+
+ public function testAuthenticateFailsWhenAuthTokenUnset() {
+ unset($_SERVER['HTTP_AUTHORIZATION']);
+ putenv('AUTH_TOKEN');
+ $auth = new Auth();
+ $this->assertFalse($auth->authenticate(), 'Authentication should fail
when AUTH_TOKEN is unset.');
+ }
+
+ public function testAuthenticateFailsWithEmptyAuthTokenAndEmptyHeader() {
+ $_SERVER['HTTP_AUTHORIZATION'] = '';
+ putenv('AUTH_TOKEN');
+ $auth = new Auth();
+ $this->assertFalse($auth->authenticate(), 'Authentication should fail
when both AUTH_TOKEN and header are empty.');
+ }
}
