Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: Basic authentication requests are case-insensitive both in scheme and parameters, but this isn't supported by APISIX #11837

Open
reinvantveer opened this issue Dec 16, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@reinvantveer
Copy link

reinvantveer commented Dec 16, 2024

Current Behavior

Lines like https://github.com/apache/apisix/blob/master/apisix/plugins/basic-auth.lua#L81 prescribe case-sensitive header keys and values but according to https://datatracker.ietf.org/doc/html/rfc7617#page-3 (scroll down a bit):

Note that both scheme and parameter names are matched case-
insensitively.

APISIX thus does not appear to follow the http spec (unless I'm missing something).

Some products such as Elasticsearch have addressed this issue

Thank you.

Expected Behavior

APISIX should listen to (and unit-test for)

  • authorization: basic [etc.]
  • Authorization: basic [etc.]
  • authorization: Basic [etc.]
    Even:
  • AuThOrIZaTIOn: bAsIC
    is a valid authorization header string start

Error Logs

No response

Steps to Reproduce

I'm unsure on what to write here. The code is in the default branch. I wrote a custom WASM plugin in Rust using the WASM SDK and it only pics up Basic literal request headers as valid authorization header, not basic.

Environment

This doesn't appear to be a version-specific thing.

@dosubot dosubot bot added the bug Something isn't working label Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: 📋 Backlog
Development

No branches or pull requests

1 participant