Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5931:ca3479c67e48
mod_http_oauth2: HTTP authentication schemes are case-insensitive
According to RFC 9110 section 11
> It uses a case-insensitive token to identify the authentication scheme
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 14 Jul 2024 17:47:06 +0200 |
| parents | 761142ee0ff2 |
| children | 46394b327d17 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 11 19:13:18 2024 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Jul 14 17:47:06 2024 +0200 @@ -698,7 +698,11 @@ local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); - if auth_type == "Basic" then + -- As described in Section 2.3 of [RFC5234], the string Bearer is case-insensitive. + -- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-5.1.1 + auth_type = auth_type:lower(); + + if auth_type == "basic" then local creds = base64.decode(auth_data); if not creds then return; end local username, password = string.match(creds, "^([^:]+):(.*)$"); @@ -708,7 +712,7 @@ username = username; password = password; }; - elseif auth_type == "Bearer" then + elseif auth_type == "bearer" then return { type = "bearer"; bearer_token = auth_data;