Ignore case-sensitivity for "Bearer"

golang-jwt · Aug 15, 2022 · 09600b6 · 09600b6
1 parent 781c8bd
commit 09600b6
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/request/extractor.go b/request/extractor.go
@@ -88,7 +88,10 @@ type BearerExtractor struct{}
 
 func (e BearerExtractor) ExtractToken(req *http.Request) (string, error) {
 	tokenHeader := req.Header.Get("Authorization")
-	if tokenHeader == "" || !strings.HasPrefix(tokenHeader, "Bearer ") {
+	// The usual convention is for "Bearer" to be title-cased. However,
+	// there's no strict rule around this, and it's best to follow the
+	// robustness principle here.
+	if tokenHeader == "" || !strings.HasPrefix(strings.ToLower(tokenHeader), "bearer ") {
 		return "", ErrNoTokenInRequest
 	}
 	return strings.TrimPrefix(tokenHeader, "Bearer "), nil