prosody-modules: mod_http_oauth2/mod_http

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5931:ca3479c67e48

mod_http_oauth2: HTTP authentication schemes are case-insensitive According to RFC 9110 section 11 > It uses a case-insensitive token to identify the authentication scheme

author	Kim Alvefur <zash@zash.se>
date	Sun, 14 Jul 2024 17:47:06 +0200
parents	761142ee0ff2
children	46394b327d17

comparison

equal deleted inserted replaced

-:acd39d33170e
+:ca3479c67e48
 local function get_request_credentials(request)
 	if not request.headers.authorization then return; end
 	local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
-	if auth_type == "Basic" then
+	-- As described in Section 2.3 of [RFC5234], the string Bearer is case-insensitive.
+	-- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-5.1.1
+	auth_type = auth_type:lower();
+	if auth_type == "basic" then
 		local creds = base64.decode(auth_data);
 		if not creds then return; end
 		local username, password = string.match(creds, "^([^:]+):(.*)$");
 		if not username then return; end
 		return {
 			type = "basic";
 			username = username;
 			password = password;
 		};
-	elseif auth_type == "Bearer" then
+	elseif auth_type == "bearer" then
 		return {
 			type = "bearer";
 			bearer_token = auth_data;
 		};
 	end

Mercurial > prosody-modules

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5931:ca3479c67e48