Mercurial > prosody-modules

changeset 5932:d5e6617e47cc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_rest: Fix to allow case sensitive HTTP authentication scheme Per RFC 9110 section 11 > It uses a case-insensitive token to identify the authentication scheme
author Kim Alvefur <zash@zash.se>
date Sun, 14 Jul 2024 17:58:48 +0200
parents ca3479c67e48
children 2739d3db591f
files mod_rest/mod_rest.lua
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_rest/mod_rest.lua	Sun Jul 14 17:47:06 2024 +0200
+++ b/mod_rest/mod_rest.lua	Sun Jul 14 17:58:48 2024 +0200
@@ -23,7 +23,7 @@
 -- Lower than the default c2s size limit to account for possible JSON->XML size increase
 local stanza_size_limit = module:get_option_number("rest_stanza_size_limit", 1024 * 192);
 
-local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" });
+local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" }) / string.lower;
 
 local www_authenticate_header;
 do
@@ -53,11 +53,12 @@
 
 local function check_credentials(request) -- > session | boolean, error
 	local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
+	auth_type = auth_type:lower();
 	if not (auth_type and auth_data) or not auth_mechanisms:contains(auth_type) then
 		return nil, post_errors.new("noauthz", { request = request });
 	end
 
-	if auth_type == "Basic" then
+	if auth_type == "basic" then
 		local creds = base64.decode(auth_data);
 		if not creds then
 			return nil, post_errors.new("malformauthz", { request = request });
@@ -74,7 +75,7 @@
 			return false, post_errors.new("unauthz", { request = request });
 		end
 		return { username = username; host = module.host };
-	elseif auth_type == "Bearer" then
+	elseif auth_type == "bearer" then
 		if tokens.get_token_session then
 			return tokens.get_token_session(auth_data);
 		else -- COMPAT w/0.12