- list($bearer, $token) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2);
+ if (strpos($auth, ' ') === false) {
+ mpError(
+ 'HTTP/1.0 403 Forbidden', 'forbidden',
+ 'Authorization header must start with "Bearer "'
+ );
+ }
+ list($bearer, $token) = explode(' ', $auth, 2);