# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1720972026 -7200
# Node ID ca3479c67e48e8c57c69a5d20db7ae98c75ca120
# Parent  acd39d33170e1a09ed75a2a1b65318d55a7d02ed
mod_http_oauth2: HTTP authentication schemes are case-insensitive

According to RFC 9110 section 11
> It uses a case-insensitive token to identify the authentication scheme

diff -r acd39d33170e -r ca3479c67e48 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 11 19:13:18 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Jul 14 17:47:06 2024 +0200
@@ -698,7 +698,11 @@
 
 	local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
 
-	if auth_type == "Basic" then
+	-- As described in Section 2.3 of [RFC5234], the string Bearer is case-insensitive.
+	-- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-5.1.1
+	auth_type = auth_type:lower();
+
+	if auth_type == "basic" then
 		local creds = base64.decode(auth_data);
 		if not creds then return; end
 		local username, password = string.match(creds, "^([^:]+):(.*)$");
@@ -708,7 +712,7 @@
 			username = username;
 			password = password;
 		};
-	elseif auth_type == "Bearer" then
+	elseif auth_type == "bearer" then
 		return {
 			type = "bearer";
 			bearer_token = auth_data;