Parse OAS3 HTTP-Auth schemes case-insensitively

According to the authors of the OAI spec [1] schemes are case-insensitive. Even if they were not, the current checks against lowercase versions of scheme names do not match the IANA registry's canonical versions [2] which are "Basic" and "Bearer". [1] OAI/OpenAPI-Specification#1880 (comment) [2] https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#table-authschemes
asazernik · May 6, 2020 · 264e6f4 · 264e6f4
1 parent d89a926
commit 264e6f4
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/execute/oas3/build-request.js b/src/execute/oas3/build-request.js
@@ -147,14 +147,15 @@ export function applySecurities({request, securities = {}, operation = {}, spec}
           }
         }
         else if (type === 'http') {
-          if (schema.scheme === 'basic') {
+          const scheme = schema.scheme && schema.scheme.toLowerCase()
+          if (scheme === 'basic') {
             const username = value.username || ''
             const password = value.password || ''
             const encoded = btoa(`${username}:${password}`)
             result.headers.Authorization = `Basic ${encoded}`
           }
 
-          if (schema.scheme === 'bearer') {
+          if (scheme === 'bearer') {
             result.headers.Authorization = `Bearer ${value}`
           }
         }