Allow other casings for bearer scheme token.

pascaldekloe · Apr 19, 2020 · 3e1dac8 · 3e1dac8
1 parent 575e6b8
commit 3e1dac8
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -150,6 +150,7 @@ EdDSA [Ed25519] produces small signatures and it performs well.
 
 ## Standard Compliance
 
+* RFC 2617: “HTTP Authentication”
 * RFC 6750: “The OAuth 2.0 Authorization Framework: Bearer Token Usage”
 * RFC 7468: “Textual Encodings of PKIX, PKCS, and CMS Structures”
 * RFC 7515: “JSON Web Signature (JWS)”

diff --git a/web.go b/web.go
@@ -87,7 +87,10 @@ func tokenFromHeader(r *http.Request) ([]byte, error) {
 
 	const prefix = "Bearer "
 	if !strings.HasPrefix(auth, prefix) {
-		return nil, errAuthSchema
+		// RFC 2617, subsection 1.2 defines the scheme token as case-insensitive.
+		if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) {
+			return nil, errAuthSchema
+		}
 	}
 	return []byte(auth[len(prefix):]), nil
 }

diff --git a/web_test.go b/web_test.go
@@ -25,19 +25,19 @@ func TestCheckHeader(t *testing.T) {
 		t.Error("ECDSA error:", err)
 	}
 
-	req.Header.Set("Authorization", "Bearer "+goldenEdDSAs[0].token)
+	req.Header.Set("Authorization", "BEARER "+goldenEdDSAs[0].token)
 	_, err = EdDSACheckHeader(req, goldenEdDSAs[0].key)
 	if err != nil {
 		t.Error("EdDSA error:", err)
 	}
 
-	req.Header.Set("Authorization", "Bearer "+goldenHMACs[0].token)
+	req.Header.Set("Authorization", "bearer "+goldenHMACs[0].token)
 	_, err = HMACCheckHeader(req, goldenHMACs[0].secret)
 	if err != nil {
 		t.Error("HMAC error:", err)
 	}
 
-	req.Header.Set("Authorization", "Bearer "+goldenRSAs[0].token)
+	req.Header.Set("Authorization", "bEArEr "+goldenRSAs[0].token)
 	_, err = RSACheckHeader(req, goldenRSAs[0].key)
 	if err != nil {
 		t.Error("RSA error:", err)