# HG changeset patch # User Kim Alvefur # Date 1720972728 -7200 # Node ID d5e6617e47ccc718e3f0d9ffc692d56609a3a502 # Parent ca3479c67e48e8c57c69a5d20db7ae98c75ca120 mod_rest: Fix to allow case sensitive HTTP authentication scheme Per RFC 9110 section 11 > It uses a case-insensitive token to identify the authentication scheme diff -r ca3479c67e48 -r d5e6617e47cc mod_rest/mod_rest.lua --- a/mod_rest/mod_rest.lua Sun Jul 14 17:47:06 2024 +0200 +++ b/mod_rest/mod_rest.lua Sun Jul 14 17:58:48 2024 +0200 @@ -23,7 +23,7 @@ -- Lower than the default c2s size limit to account for possible JSON->XML size increase local stanza_size_limit = module:get_option_number("rest_stanza_size_limit", 1024 * 192); -local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" }); +local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" }) / string.lower; local www_authenticate_header; do @@ -53,11 +53,12 @@ local function check_credentials(request) -- > session | boolean, error local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); + auth_type = auth_type:lower(); if not (auth_type and auth_data) or not auth_mechanisms:contains(auth_type) then return nil, post_errors.new("noauthz", { request = request }); end - if auth_type == "Basic" then + if auth_type == "basic" then local creds = base64.decode(auth_data); if not creds then return nil, post_errors.new("malformauthz", { request = request }); @@ -74,7 +75,7 @@ return false, post_errors.new("unauthz", { request = request }); end return { username = username; host = module.host }; - elseif auth_type == "Bearer" then + elseif auth_type == "bearer" then if tokens.get_token_session then return tokens.get_token_session(auth_data); else -- COMPAT w/0.12