From 0199ad3a77f0e8c7d6665ac797f2a03227fa6fd5 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Wed, 18 May 2022 23:42:30 +0200
Subject: [PATCH] Fix #84 - Reverse proxy guard authenticates even with invalid
 headers

---
 app/Services/Auth/ReverseProxyGuard.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/Services/Auth/ReverseProxyGuard.php b/app/Services/Auth/ReverseProxyGuard.php
index 97fd75ff..5515329c 100644
--- a/app/Services/Auth/ReverseProxyGuard.php
+++ b/app/Services/Auth/ReverseProxyGuard.php
@@ -69,7 +69,8 @@ public function user()
         $user = null;
 
         // Get the user identifier from $_SERVER or apache filtered headers
-        $remoteUserHeader = config('auth.auth_proxy_headers.user', 'REMOTE_USER');
+        $remoteUserHeader = config('auth.auth_proxy_headers.user');
+        $remoteUserHeader = $remoteUserHeader ?: 'REMOTE_USER';
 
         try {
             $identifier['user'] = request()->server($remoteUserHeader) ?? apache_request_headers()[$remoteUserHeader] ?? null;
@@ -78,8 +79,8 @@ public function user()
             $identifier['user'] = null;
         }
 
-        if (! $identifier['user']) {
-            Log::error(sprintf('No user in header "%s".', $remoteUserHeader));
+        if (!$identifier['user'] || is_array($identifier['user'])) {
+            Log::error(sprintf('Proxy remote-user header "%s" is empty or missing.', $remoteUserHeader));
             return $this->user = null;
         }