Fixed Deprecating API authentication through query parameters

Chris D

XenForo developer
Staff member
For clarity, the fix is applied in this file:
Code:
src/XF/ConnectedAccount/Service/GitHub.php
This is what we use for GitHub requests which is an extended version of the original library class. The fix for the other bug report is now applied in the same file.
 

kick

Well-known member
But this is not entirely correct. You are using AUTHORIZATION_METHOD_HEADER_BEARER.
PHP:
elseif (static::AUTHORIZATION_METHOD_HEADER_BEARER === $this->getAuthorizationMethod()) {
    $extraHeaders = array_merge(array('Authorization' => 'Bearer ' . $token->getAccessToken()), $extraHeaders);
}
if you will see this links, it will be clearly visible
OAuth2 token (sent in a header)
$ curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com
and
3. Use the access token to access the API
The access token allows you to make requests to the API on a behalf of a user.
Authorization: token OAUTH-TOKEN
GET https://api.github.com/user
For example, in curl you can set the Authorization header like this:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/user
But in the header you pass bearer
What would be correct to transmit like
$extraHeaders = array_merge(array('Authorization' => 'token ' . $token->getAccessToken()), $extraHeaders);
But bearer is passed
 

Chris D

XenForo developer
Staff member
Is this expressly forbidden either in their API or in the OAuth spec? Or is the current approach failing? My tests seem to indicate that things are working fine as-is.

We'll investigate further.
 

kick

Well-known member
It will work and an explanation of why the same parameters works is given on the following link, due to the fact that in some places this header is required to be passed.
As for GitHub, they support the token header "Bearer" because they allow that header to be used for other kinds of tokens beyond OAuth tokens, specifically personal access tokens and GitHub App tokens.
But at any moment this may stop working and for authorization they recommend using a token
 
Top