add support for capital Authorization header. closes #200

auth0 · Apr 20, 2022 · 6c0698b · 6c0698b
1 parent 9a95f8f
commit 6c0698b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -47,10 +47,11 @@ export const expressjwt = (options: Params) => {
         }
       }
 
+      const authorizationHeader = req.headers && 'Authorization' in req.headers ? 'Authorization' : 'authorization';
       if (options.getToken && typeof options.getToken === 'function') {
         token = await options.getToken(req);
-      } else if (req.headers && req.headers.authorization) {
-        const parts = req.headers.authorization.split(' ');
+      } else if (req.headers && req.headers[authorizationHeader]) {
+        const parts = (req.headers[authorizationHeader] as string).split(' ');
         if (parts.length == 2) {
           const scheme = parts[0];
           const credentials = parts[1];

diff --git a/test/jwt.test.ts b/test/jwt.test.ts
@@ -265,15 +265,27 @@ describe('work tests', function () {
     });
   });
 
-  it('should work if no authorization header and credentials are not required', function (done) {
-    const req = {} as express.Request;
+  it('should work if Authorization header is capitalized (lambda environment)', function (done) {
+    const secret = Buffer.from('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 'base64');
+    const token = jwt.sign({ foo: 'bar' }, secret);
+    const req = {} as ExpressJwtRequest;
     const res = {} as express.Response;
-    expressjwt({ secret: 'shhhh', algorithms: ['HS256'], credentialsRequired: false })(req, res, function (err) {
-      assert(typeof err === 'undefined');
+
+    req.headers = {};
+    req.headers.Authorization = 'Bearer ' + token;
+    expressjwt({ secret: secret, algorithms: ['HS256'] })(req, res, function (err) {
+      if (err) { return done(err); }
+      assert.equal(req.auth.foo, 'bar');
       done();
     });
   });
 
+  it('should work if no authorization header and credentials are not required', function (done) {
+    const req = {} as express.Request;
+    const res = {} as express.Response;
+    expressjwt({ secret: 'shhhh', algorithms: ['HS256'], credentialsRequired: false })(req, res, done);
+  });
+
   it('should not work if no authorization header', function (done) {
     const req = {} as express.Request;
     const res = {} as express.Response;