Skip to content

Commit 33d7f70

Browse files
authored
Parse OAS3 HTTP-Auth schemes case-insensitively
According to the authors of the OAI spec (OAI/OpenAPI-Specification#1880 (comment)), schemes are case-insensitive. Even if they were not, the current checks against lowercase versions of scheme names do not match the IANA registry's canonical versions (https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#table-authschemes), which are "Basic" and "Bearer".
1 parent d89a926 commit 33d7f70

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

src/execute/oas3/build-request.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -147,14 +147,15 @@ export function applySecurities({request, securities = {}, operation = {}, spec}
147147
}
148148
}
149149
else if (type === 'http') {
150-
if (schema.scheme === 'basic') {
150+
const scheme = schema.scheme?.toLowerCase()
151+
if (scheme === 'basic') {
151152
const username = value.username || ''
152153
const password = value.password || ''
153154
const encoded = btoa(`${username}:${password}`)
154155
result.headers.Authorization = `Basic ${encoded}`
155156
}
156157

157-
if (schema.scheme === 'bearer') {
158+
if (scheme === 'bearer') {
158159
result.headers.Authorization = `Bearer ${value}`
159160
}
160161
}

0 commit comments

Comments
 (0)