1
0
mirror of https://github.com/labstack/echo.git synced 2024-12-26 20:54:00 +02:00

Ignore case of auth scheme in request header

Some clients send an authorization header containing the "bearer"
keyword in lower case. This led to echo responding with "missing or
malformed jwt".

Request.BasicAuth (net/http) ignores the basic auth scheme's case since
a while: https://go-review.googlesource.com/c/go/+/111516/
This commit is contained in:
Philipp Thun 2021-08-09 17:21:13 +02:00 committed by Martti T
parent fcda0e8840
commit 499097e061
2 changed files with 6 additions and 1 deletions

View File

@ -295,7 +295,7 @@ func jwtFromHeader(header string, authScheme string) jwtExtractor {
return func(c echo.Context) (string, error) { return func(c echo.Context) (string, error) {
auth := c.Request().Header.Get(header) auth := c.Request().Header.Get(header)
l := len(authScheme) l := len(authScheme)
if len(auth) > l+1 && auth[:l] == authScheme { if len(auth) > l+1 && strings.EqualFold(auth[:l], authScheme) {
return auth[l+1:], nil return auth[l+1:], nil
} }
return "", ErrJWTMissing return "", ErrJWTMissing

View File

@ -261,6 +261,11 @@ func TestJWT(t *testing.T) {
expErrCode: http.StatusUnauthorized, expErrCode: http.StatusUnauthorized,
info: "Token verification does not pass using a user-defined KeyFunc", info: "Token verification does not pass using a user-defined KeyFunc",
}, },
{
hdrAuth: strings.ToLower(DefaultJWTConfig.AuthScheme) + " " + token,
config: JWTConfig{SigningKey: validKey},
info: "Valid JWT with lower case AuthScheme",
},
} { } {
if tc.reqURL == "" { if tc.reqURL == "" {
tc.reqURL = "/" tc.reqURL = "/"