fixes #2460 switch api auth header to X-PIWIGO-API

Replaces usage of the Authorization header with X-PIWIGO-API for API key authentication. This improves consistency and may address issues with standard Authorization header handling.
2026-03-28 17:42:57 +01:00 · 2025-12-01 18:12:31 +01:00
parent 66f0ef574d
commit 3da45eabac
3 changed files with 5 additions and 5 deletions
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -59,12 +59,12 @@ if (isset($_GET['auth']))
 // HTTP_AUTHORIZATION api_key
 if (
  defined('IN_WS')
-  and isset($_SERVER['HTTP_AUTHORIZATION'])
-  and !empty($_SERVER['HTTP_AUTHORIZATION']) 
+  and isset($_SERVER['HTTP_X_PIWIGO_API'])
+  and !empty($_SERVER['HTTP_X_PIWIGO_API']) 
  and isset($_REQUEST['method'])
 )
 {
-  $auth_header = pwg_db_real_escape_string($_SERVER['HTTP_AUTHORIZATION']) ?? null;
+  $auth_header = pwg_db_real_escape_string($_SERVER['HTTP_X_PIWIGO_API']) ?? null;
  
  if ($auth_header)
  {
--- a/tools/ws.htm
+++ b/tools/ws.htm
@@ -125,7 +125,7 @@
                <div class="card-content">

                  <div class="header-setting">
-                    <p class="header-label">Authorization:</p>
+                    <p class="header-label">X-PIWIGO-API:</p>
                    <p class="header-warning">Doesn't work when you use "INVOKE (new window)"</p>
                    <input type="text" id="apiKey" placeholder="pkid-xxxxxxxx-xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" />
                  </div>
--- a/tools/ws/ws.js
+++ b/tools/ws/ws.js
@@ -346,7 +346,7 @@ $(() => {
        if (!useCookie) {
            fetchOption.credentials = 'omit';
            fetchOption.headers = {
-                Authorization: authorization
+                "X-PIWIGO-API": authorization
            }
        }