Apikey authentication with an http param should be non case sensitive

[jgraglia]

Hi,

The apikey auth supports both http header & param. For http params, the name should be case insensitive if I'm right https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.6 idem for headers .

But alpine server seems to require case sensitve params.

https://github.com/stevespringett/Alpine/blob/master/alpine-server/src/main/java/alpine/server/auth/ApiKeyAuthenticationService.java#L51C1-L52C1

Basically this request is ok

curl https://xxxxxx/api/v1/badge/vulns/project/<uuid>?apiKey=<secret>

and this one is rejected

curl https://xxxxxx/api/v1/badge/vulns/project/<uuid>?apikey=<secret>

I check jetty, and http params are case not sensitive (https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/http/HttpField.html)

PS: I'm using Dependency Track and the apikey authentication to access badges. I can't use the http header to authenticate as , for a badge, I just need an http link.

[jgraglia]

and for some reason my browser (Chrome) seems to lowercase the apiKey param. In a std windows the url fails with 401 I an incognito windows, the auth is ok and the badge is displayed

With Firefox, no pb the case is "respected" in the URL

[jgraglia]

I was having issue with chrome because i store in my history the url in lowercase & still use this url even when I enter the valid case sensitive url. One solution : clear the browsing history for that site Another add a dummy http param &a=a ...