changeset 5931:ca3479c67e48

mod_http_oauth2: HTTP authentication schemes are case-insensitive According to RFC 9110 section 11 > It uses a case-insensitive token to identify the authentication scheme
author Kim Alvefur <zash@zash.se>
date Sun, 14 Jul 2024 17:47:06 +0200
parents acd39d33170e
children d5e6617e47cc
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 6 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 11 19:13:18 2024 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Jul 14 17:47:06 2024 +0200
@@ -698,7 +698,11 @@
 
 	local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
 
-	if auth_type == "Basic" then
+	-- As described in Section 2.3 of [RFC5234], the string Bearer is case-insensitive.
+	-- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-5.1.1
+	auth_type = auth_type:lower();
+
+	if auth_type == "basic" then
 		local creds = base64.decode(auth_data);
 		if not creds then return; end
 		local username, password = string.match(creds, "^([^:]+):(.*)$");
@@ -708,7 +712,7 @@
 			username = username;
 			password = password;
 		};
-	elseif auth_type == "Bearer" then
+	elseif auth_type == "bearer" then
 		return {
 			type = "bearer";
 			bearer_token = auth_data;