make bearer header case insensitive

Sephster · Sephster · commit e9850ab0047d · 2025-09-17T07:25:28.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Added sensitive parameter to avoid sensitive data being included in stack traces (PR #1483)
 
+### Fixed
+- Made the Bearer header case insensitive to match the specs correctly (PR #XXX)
+
 ## [9.2.0] - released 2025-02-15
 ### Added
 - Added a new function to the provided ClientTrait, `supportsGrantType` to allow the auth server to issue the response `unauthorized_client` when applicable (PR #1420)
diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -94,7 +94,7 @@ public function validateAuthorization(ServerRequestInterface $request): ServerRe
         }
 
         $header = $request->getHeader('authorization');
-        $jwt = trim((string) preg_replace('/^\s*Bearer\s/', '', $header[0]));
+        $jwt = trim((string) preg_replace('/^\s*Bearer\s/i', '', $header[0]));
 
         if ($jwt === '') {
             throw OAuthServerException::accessDenied('Missing "Bearer" token');
diff --git a/tests/AuthorizationValidators/BearerTokenValidatorTest.php b/tests/AuthorizationValidators/BearerTokenValidatorTest.php
@@ -105,7 +105,7 @@ public function testBearerTokenValidatorAcceptsExpiredTokenWithinLeeway(): void
         self::assertArrayHasKey('authorization', $validRequest->getHeaders());
     }
 
-    public function testBearerTokenValidatorRejectsExpiredTokenBeyondLeeway(): void
+    public function testBearerTokenValidatorIsNotCaseSensitive(): void
     {
         $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
 
@@ -135,4 +135,31 @@ public function testBearerTokenValidatorRejectsExpiredTokenBeyondLeeway(): void
 
         $bearerTokenValidator->validateAuthorization($request);
     }
+
+    public function testBearerTokenValidatorCaseInsensitiveWithBearerHeader(): void
+    {
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $bearerTokenValidator = new BearerTokenValidator($accessTokenRepositoryMock);
+        $bearerTokenValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+
+        $bearerTokenValidatorReflection = new ReflectionClass(BearerTokenValidator::class);
+        $jwtConfiguration = $bearerTokenValidatorReflection->getProperty('jwtConfiguration');
+
+        $validJwt = $jwtConfiguration->getValue($bearerTokenValidator)->builder()
+            ->permittedFor('client-id')
+            ->identifiedBy('token-id')
+            ->issuedAt(new DateTimeImmutable())
+            ->canOnlyBeUsedAfter(new DateTimeImmutable())
+            ->expiresAt((new DateTimeImmutable())->add(new DateInterval('PT1H')))
+            ->relatedTo('user-id')
+            ->withClaim('scopes', 'scope1 scope2 scope3 scope4')
+            ->getToken(new Sha256(), InMemory::file(__DIR__ . '/../Stubs/private.key'));
+
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('bEaReR %s', $validJwt->toString()));
+
+        $validRequest = $bearerTokenValidator->validateAuthorization($request);
+
+        self::assertArrayHasKey('authorization', $validRequest->getHeaders());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ public function validateAuthorization(ServerRequestInterface $request): ServerRe`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`$header = $request->getHeader('authorization');`
`97`		`- $jwt = trim((string) preg_replace('/^\s*Bearer\s/', '', $header[0]));`
	`97`	`+ $jwt = trim((string) preg_replace('/^\s*Bearer\s/i', '', $header[0]));`
`98`	`98`
`99`	`99`	`if ($jwt === '') {`
`100`	`100`	`throw OAuthServerException::accessDenied('Missing "Bearer" token');`