Is passing the bearer token in access_token still allowed?

[codecowboy]

I see this comment in strategy.js:

• The HTTP Bearer authentication strategy authenticates requests based on
• a bearer token contained in the Authorization header field, access_token
• body parameter, or access_token query parameter.

This is in a project which has passport-http-bearer as dependency (version 1.0.1)- https://github.com/NodeBB/nodebb-plugin-write-api

I've tried asking the maintainer of that project but he says the following code is not his:

Strategy.prototype.authenticate = function(req) {
  var token;

  if (req.headers && req.headers.authorization) {
    var parts = req.headers.authorization.split(' ');
    if (parts.length == 2) {
      var scheme = parts[0]
        , credentials = parts[1];

      if (/^Bearer$/i.test(scheme)) {
        token = credentials;
      }
    } else {
      return this.fail(400);
    }
  }

  if (req.body && req.body.access_token) {
    if (token) { return this.fail(400); }
    token = req.body.access_token;
  }

  if (req.query && req.query.access_token) {
    if (token) { return this.fail(400); }
    token = req.query.access_token;
  }

  if (!token) { return this.fail(this._challenge()); }

  var self = this;

  function verified(err, user, info) {
    if (err) { return self.error(err); }
    if (!user) {
      if (typeof info == 'string') {
        info = { message: info }
      }
      info = info || {};
      return self.fail(self._challenge('invalid_token', info.message));
    }
    self.success(user, info);
  }

  if (self._passReqToCallback) {
    this._verify(req, token, verified);
  } else {
    this._verify(token, verified);
  }
};

Wouldn't the above code block those use of the access_token parameter?

When I try to pass the bearer token in as a query or body parameter, I get a 401 but if I pass it as an authorization header, the call works.

Any ideas how I can debug this further to figure out what is blocking the request?