Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\basic_auth\PageCache;
Chris@0: 
Chris@0: use Drupal\Core\PageCache\RequestPolicyInterface;
Chris@0: use Symfony\Component\HttpFoundation\Request;
Chris@0: 
Chris@0: /**
Chris@0:  * Cache policy for pages served from basic auth.
Chris@0:  *
Chris@0:  * This policy disallows caching of requests that use basic_auth for security
Chris@0:  * reasons. Otherwise responses for authenticated requests can get into the
Chris@0:  * page cache and could be delivered to unprivileged users.
Chris@0:  */
Chris@0: class DisallowBasicAuthRequests implements RequestPolicyInterface {
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   public function check(Request $request) {
Chris@0:     $username = $request->headers->get('PHP_AUTH_USER');
Chris@0:     $password = $request->headers->get('PHP_AUTH_PW');
Chris@0:     if (isset($username) && isset($password)) {
Chris@0:       return self::DENY;
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0: }