fix: let PHP handle basic auth. (#2142)

AlliBalliBaba · web-flow · commit 0c2a0105b56d · 2026-01-26T10:42:32.000+01:00
I noticed that PHP likes to handle and free basic auth parameters internally (see [here](https://github.com/php/php-src/blob/9f774e3a85d34f4aa1558613a9df7703ad3bb513/main/main.c#L2739) and [here](https://github.com/php/php-src/blob/9f774e3a85d34f4aa1558613a9df7703ad3bb513/main/SAPI.c#L514-L525)). This PR changes it so the basic auth header is forwarded to PHP instead of resolving it in go. I suspect that this might fix some crashes in shutdown functions (like #2121 and #1841) since it allows us freeing the `request_info` after shutdown is finished. I haven't been able to reproduce these crashes yet though.
diff --git a/cgi.go b/cgi.go
@@ -277,23 +277,13 @@ func splitPos(path string, splitPath []string) int {
 // See: https://github.com/php/php-src/blob/345e04b619c3bc11ea17ee02cdecad6ae8ce5891/main/SAPI.h#L72
 //
 //export go_update_request_info
-func go_update_request_info(threadIndex C.uintptr_t, info *C.sapi_request_info) {
+func go_update_request_info(threadIndex C.uintptr_t, info *C.sapi_request_info) *C.char {
 	thread := phpThreads[threadIndex]
 	fc := thread.frankenPHPContext()
 	request := fc.request
 
 	if request == nil {
-		return
-	}
-
-	authUser, authPassword, ok := request.BasicAuth()
-	if ok {
-		if authPassword != "" {
-			info.auth_password = thread.pinCString(authPassword)
-		}
-		if authUser != "" {
-			info.auth_user = thread.pinCString(authUser)
-		}
+		return nil
 	}
 
 	info.request_method = thread.pinCString(request.Method)
@@ -311,6 +301,13 @@ func go_update_request_info(threadIndex C.uintptr_t, info *C.sapi_request_info)
 	info.request_uri = thread.pinCString(request.URL.RequestURI())
 
 	info.proto_num = C.int(request.ProtoMajor*1000 + request.ProtoMinor)
+
+	authorizationHeader := request.Header.Get("Authorization")
+	if authorizationHeader == "" {
+		return nil
+	}
+
+	return thread.pinCString(authorizationHeader)
 }
 
 // SanitizedPathJoin performs filepath.Join(root, reqPath) that
diff --git a/frankenphp.c b/frankenphp.c
@@ -85,7 +85,11 @@ static void frankenphp_update_request_context() {
   /* status It is not reset by zend engine, set it to 200. */
   SG(sapi_headers).http_response_code = 200;
 
-  go_update_request_info(thread_index, &SG(request_info));
+  char *authorization_header =
+      go_update_request_info(thread_index, &SG(request_info));
+
+  /* let PHP handle basic auth */
+  php_handle_auth_data(authorization_header);
 }
 
 static void frankenphp_free_request_context() {
@@ -95,8 +99,6 @@ static void frankenphp_free_request_context() {
   }
 
   /* freed via thread.Unpin() */
-  SG(request_info).auth_password = NULL;
-  SG(request_info).auth_user = NULL;
   SG(request_info).request_method = NULL;
   SG(request_info).query_string = NULL;
   SG(request_info).content_type = NULL;
@@ -187,9 +189,9 @@ static void frankenphp_worker_request_shutdown() {
   zend_end_try();
 
   /* SAPI related shutdown (free stuff) */
-  frankenphp_free_request_context();
   zend_try { sapi_deactivate(); }
   zend_end_try();
+  frankenphp_free_request_context();
 
   zend_set_memory_limit(PG(memory_limit));
 }
@@ -609,8 +611,8 @@ static zend_module_entry frankenphp_module = {
     STANDARD_MODULE_PROPERTIES};
 
 static void frankenphp_request_shutdown() {
-  frankenphp_free_request_context();
   php_request_shutdown((void *)0);
+  frankenphp_free_request_context();
 }
 
 static int frankenphp_startup(sapi_module_struct *sapi_module) {
@@ -1055,8 +1057,7 @@ static int frankenphp_request_startup() {
     return SUCCESS;
   }
 
-  frankenphp_free_request_context();
-  php_request_shutdown((void *)0);
+  frankenphp_request_shutdown();
 
   return FAILURE;
 }
