#8 don't authorize if multiple auth header are sent

Author: BreiteSeite

src/BasicAccess.php

@@ -52,12 +52,15 @@ public function __construct(
 
     public function authenticate(ServerRequestInterface $request) : ?UserInterface
     {
-        $authHeader = $request->getHeader('Authorization');
-        if (! isset($authHeader[0])) {
+        $authHeaders = $request->getHeader('Authorization');
+
+        if (1 !== count($authHeaders)) {
             return null;
         }
 
-        if (! preg_match('/Basic (?P<credentials>.+)/', $authHeader[0], $match)) {
+        $authHeader = array_shift($authHeaders);
+
+        if (! preg_match('/Basic (?P<credentials>.+)/', $authHeader, $match)) {
             return null;
         }
 

test/BasicAccessTest.php

@@ -166,6 +166,12 @@ public function provideInvalidAuthenticationHeader(): array
             'only-pile-of-poo-emoji' => [['💩']],
             'basic-prefix-without-content' => [['Basic ']],
             'only-basic' => [['Basic']],
+            'multiple-auth-headers' => [
+                [
+                    ['Basic ' . base64_encode('Aladdin:OpenSesame')],
+                    ['Basic ' . base64_encode('Aladdin:OpenSesame')],
+                ],
+            ],
         ];
     }