Missing Authroization header in request

When developing REST API in Yii2, I found some development environments do not populate Authorization header in the request; as a result, I was not able to use HttpBearerAuth because the headers were missing in the request. Note that I still can use QueryParamAuth; although, I insist on using HttpBearerAuth instead of QueryParamAuth.


The issue is caused by CGI/FastCGI mode in Apache. I didn’t want to update server-side configuration; thus, do following changes in .htaccess:

  1. Update .htaccess


Above changes will create $_SERVER parameters including REDIRECT_HTTP_AUTHORIZATION and the REDIRECT_HTTP_AUTHORIZATION parameter contains Authorization header value.


But Yii2 HttpBearerAuth does not check $_SERVER[‘REDIRECT_HTTP_AUTHORIZATION’] value. Therefore, above .htaccess still not work for HttpBearerAuth.


To workaround the issue, I override HttpBearerAuth and add the code for checking $_SERVER parameter.

  1. Create a folder filters/auth
  2. Create a file HttpBearerAuth.php
  3. Update controller