Check for REDIRECT_REMOTE_USER as well

src/Module/OAuth/Token.php

@@ -46,8 +46,14 @@ class Token extends BaseApi
 		]);
 
 		// AndStatus transmits the client data in the AUTHORIZATION header field, see https://github.com/andstatus/andstatus/issues/530
-		if (empty($request['client_id']) && !empty($_SERVER['HTTP_AUTHORIZATION']) && (substr($_SERVER['HTTP_AUTHORIZATION'], 0, 6) == 'Basic ')) {
-			$datapair = explode(':', base64_decode(trim(substr($_SERVER['HTTP_AUTHORIZATION'], 6))));
+		$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
+		if (empty($authorization)) {
+			// workaround for HTTP-auth in CGI mode
+			$authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? '';
+		}
+
+		if (empty($request['client_id']) && !empty($authorization) && (substr($authorization, 0, 6) == 'Basic ')) {
+			$datapair = explode(':', base64_decode(trim(substr($authorization, 6))));
 			if (count($datapair) == 2) {
 				$request['client_id']     = $datapair[0];
 				$request['client_secret'] = $datapair[1];

src/Security/BasicAuth.php

@@ -124,7 +124,7 @@ class BasicAuth
 		// workaround for HTTP-auth in CGI mode
 		if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
 			$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
-			if (strlen($userpass)) {
+			if (!empty($userpass) && strpos($userpass, ':')) {
 				list($name, $password) = explode(':', $userpass);
 				$_SERVER['PHP_AUTH_USER'] = $name;
 				$_SERVER['PHP_AUTH_PW'] = $password;

src/Security/OAuth.php

@@ -83,6 +83,11 @@ class OAuth
 	{
 		$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
 
+		if (empty($authorization)) {
+			// workaround for HTTP-auth in CGI mode
+			$authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? '';
+		}
+
 		if (substr($authorization, 0, 7) != 'Bearer ') {
 			return [];
 		}