The authorization scheme for HTTP Basic Authentication should not be case sensitive

ninenines / cowlib

Support library for manipulating Web protocols.

ISC License

281 stars 172 forks source link

The authorization scheme for HTTP Basic Authentication should not be case sensitive #84

Closed bipthelin closed 5 years ago

bipthelin commented 5 years ago

The cowboy_req:parse_header(<<"authorization">>, Req) code in Cowboy uses cow_http_hd:parse_authorization/1. The code doesn't compare case insensitive which as far as I can understand breaks RFC 2617. Both Basic, basic and other cases should be considered valid.

The code in question: https://github.com/ninenines/cowlib/blob/master/src/cow_http_hd.erl#L891

essen commented 5 years ago

The correct spec is at https://tools.ietf.org/html/rfc7235#section-2.1 but you are correct, it's case insensitive.

bipthelin commented 5 years ago

I've made a PR for this problem #85

essen commented 5 years ago

Thanks!