From a4a8f6e661e7e61da91e5887542d857da4b5a5e0 Mon Sep 17 00:00:00 2001
From: Alex McRoberts <alex@alexmcroberts.co.uk>
Date: Mon, 27 May 2013 21:27:30 -0700
Subject: [PATCH] This fixes #57. By passing in a conditional flag refering to
 headersOnly, the library would stil respect RFC6749 Section 7 and RFC6750
 Section 2.

---
 src/League/OAuth2/Server/Resource.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/League/OAuth2/Server/Resource.php b/src/League/OAuth2/Server/Resource.php
index 647441c9..49f149ee 100644
--- a/src/League/OAuth2/Server/Resource.php
+++ b/src/League/OAuth2/Server/Resource.php
@@ -173,12 +173,13 @@ class Resource
     /**
      * Checks if the access token is valid or not.
      *
+     * @param $headersOnly Limit Access Token to Authorization header only
      * @throws Exception\InvalidAccessTokenException Thrown if the presented access token is not valid
      * @return bool
      */
-    public function isValid()
+    public function isValid($headersOnly = false)
     {
-        $accessToken = $this->determineAccessToken();
+        $accessToken = $this->determineAccessToken($headersOnly);
 
         $result = $this->storages['session']->validateAccessToken($accessToken);
 
@@ -237,10 +238,11 @@ class Resource
     /**
      * Reads in the access token from the headers.
      *
+     * @param $headersOnly Limit Access Token to Authorization header only
      * @throws Exception\MissingAccessTokenException  Thrown if there is no access token presented
      * @return string
      */
-    protected function determineAccessToken()
+    protected function determineAccessToken($headersOnly = false)
     {
         if ($header = $this->getRequest()->header('Authorization')) {
             // Check for special case, because cURL sometimes does an
@@ -256,7 +258,7 @@ class Resource
                 $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header));
             }
             $accessToken = ($accessToken === 'Bearer') ? '' : $accessToken;
-        } else {
+        } elseif ($headersOnly === false) {
             $method = $this->getRequest()->server('REQUEST_METHOD');
             $accessToken = $this->getRequest()->{$method}($this->tokenKey);
         }