Authentication headers are case sensitive #2722
Description
Context
According to RFC 7235, the authentication scheme is case-insensitive.
Current Behavior
Some clients downcase the scheme (e.g. authorization: bearer xyz) which results in Prism rejecting the request and triggering the 401 response.
The current implementation expects exact matches for all schemes.
Expected Behavior
Prism should downcase the schema
The following are all equivalent:
Authorization: Bearer xyz
Authorization: bearer xyz
authorization: bearer xyz
AutHORizAtIon: BeaRer xyz
Possible Workaround/Solution
n/a
Steps to Reproduce
Start a mock with the following OAD:
openapi: 3.1.1
info:
title: Scheme Repro
security:
- bearerAuth: []
paths:
/:
get:
summary: Authenticate
operationId: authenticate
security:
- bearerAuth: []
responses:
'200':
description: Authenticated user information retrieved successfully
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
description: Bearer token authentication
responses:
Unauthorized:
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
schemas:
User:
description: A user
type: object
properties:
id:
type: integer
UnauthorizedError:
description: An error
type: object
properties:
type:
type: string
title:
type: string
status:
type: integer
format: int64
detail:
type: string
Run the following curl commands to see the different behaviour
curl http://localhost:4010/ -H"Authorization: bearer 1234"
{"type":"string","title":"string","status":-9007199254740991,"detail":"string"} # 401
curl http://localhost:4010/ -H"Authorization: Bearer 1234"
{"id":-9007199254740991} # 200
Environment
- Version used: 5.14.2