Basic scheme is case-insensitive (#1033)

2025-07-05 00:58:47 +02:00 · 2017-11-21 06:57:41 +07:00
parent b28538b2e3
commit 7fe7f348eb
2 changed files with 9 additions and 2 deletions
--- a/middleware/basic_auth.go
+++ b/middleware/basic_auth.go
@ -3,6 +3,7 @@ package middleware
 import (
 	"encoding/base64"
 	"strconv"
 	"strings"
 	"github.com/labstack/echo"
 )
@ -27,7 +28,7 @@ type (
 )
 const (
-	basic        = "Basic"
+	basic        = "basic"
 	defaultRealm = "Restricted"
 )
@ -72,7 +73,7 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 			auth := c.Request().Header.Get(echo.HeaderAuthorization)
 			l := len(basic)
-			if len(auth) > l+1 && auth[:l] == basic {
+			if len(auth) > l+1 && strings.ToLower(auth[:l]) == basic {
 				b, err := base64.StdEncoding.DecodeString(auth[l+1:])
 				if err != nil {
 					return err
--- a/middleware/basic_auth_test.go
+++ b/middleware/basic_auth_test.go
@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/labstack/echo"
@ -30,6 +31,11 @@ func TestBasicAuth(t *testing.T) {
 	req.Header.Set(echo.HeaderAuthorization, auth)
 	assert.NoError(t, h(c))
 	// Case-insensitive header scheme
 	auth = strings.ToUpper(basic) + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))
 	req.Header.Set(echo.HeaderAuthorization, auth)
 	assert.NoError(t, h(c))
 	// Invalid credentials
 	auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:invalid-password"))
 	req.Header.Set(echo.HeaderAuthorization, auth)