Skip to content

fix: make Authorization header check case-insensitive #1528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 5, 2025
Merged

fix: make Authorization header check case-insensitive #1528

merged 1 commit into from
Sep 5, 2025
+3 −1

Conversation

Louis454545
Copy link
Contributor

Summary

Fixes #1043

This PR makes the Authorization header detection case-insensitive, which is the correct behavior according to HTTP RFC standards. Previously, the code only checked for the exact string 'Authorization' in headers, but HTTP headers should be case-insensitive.

Changes Made

  • Replace case-sensitive 'Authorization' in this.headers check with case-insensitive Object.keys(this.headers).some(key => key.toLowerCase() === 'authorization')
  • This allows headers like 'authorization', 'Authorization', 'AUTHORIZATION' to all work correctly

Testing

  • All existing unit tests pass
  • Build completes successfully
  • Manual testing with various header case combinations (lowercase, uppercase, mixed case)
  • Verified that no authorization header case still works correctly

Root Cause

The issue was introduced in the hasCustomAuthorizationHeader check which was meant to detect custom auth headers but was using case-sensitive string matching instead of proper case-insensitive header handling.

Additional Notes

This is a small but important fix that improves compatibility with various HTTP client implementations that may use different casing for the Authorization header.

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

@Louis454545
fix: make Authorization header check case-insensitive
1dc33e8 
- Fix issue supabase#1043 where custom Authorization headers were checked case-sensitively
- HTTP headers should be case-insensitive according to RFC standards
- Replace exact key match with case-insensitive check using Object.keys().some()
- This allows headers like 'authorization', 'Authorization', 'AUTHORIZATION' to work correctly
@mandarini mandarini self-assigned this Aug 13, 2025
@coveralls
Copy link

Pull Request Test Coverage Report for Build 16890387198

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.1%) to 74.9%
Totals Coverage Status
Change from base Build 16805913259: 0.1%
Covered Lines: 123
Relevant Lines: 147
💛 - Coveralls

mandarini
mandarini approved these changes Sep 5, 2025
View reviewed changes
Copy link
Contributor

@mandarini mandarini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution @Louis454545 !

@mandarini mandarini merged commit cae024c into supabase:master Sep 5, 2025
13 checks passed
@Louis454545 Louis454545 deleted the fix/issue-1043-case-insensitive-auth-header branch September 5, 2025 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mandarini mandarini mandarini approved these changes

Assignees

@mandarini mandarini

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

New check for a custom Authorization header is case sensitive. Headers are case insensitive
3 participants
@Louis454545 @coveralls @mandarini