Extractors.FromHeader should be case insensitive

[remie]

HTTP headers are case insensitive (see https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2).

This was fixed for fromAuthHeaderWithScheme in #118 but is still an issue in fromHeader. EDIT: on closer inspection, the fix of #118 only makes the scheme case-insensitive. This issue still applies to fromAuthHeaderWithScheme as it assumes the authorization header to be lower case.

[mikenicholson]

As far as I understand it, node's HTTP modules takes care of lowercasing the headers on the incoming request object. See https://nodejs.org/api/http.html#http_message_headers.

Can you provide a code example that illustrates different behavior?

[SchroederSteffen]

ExtractJwt.fromHeader() isn't case-insensitive, because it tries to read the header with the given name without lowercasing it beforehand. In the headers map, the names are in lowercase and the parameter value header_name therefore also needs to be in lowercase.

A solution would be to call header_name.toLowerCase(). https://github.com/mikenicholson/passport-jwt/blob/96a6e5565ba5a6f3301d91959a0f646e54446388/lib/extract_jwt.js#L19