Disallow invalid character after BEARER prefix

VojtechVitek · VojtechVitek · commit f45826e0276b · 2025-03-27T12:34:42.000+01:00
diff --git a/jwtauth.go b/jwtauth.go
@@ -268,7 +268,7 @@ func TokenFromCookie(r *http.Request) string {
 func TokenFromHeader(r *http.Request) string {
 	// Get token from authorization header.
 	bearer := r.Header.Get("Authorization")
-	if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
+	if len(bearer) > 7 && strings.EqualFold(bearer[0:7], "Bearer ") {
 		return bearer[7:]
 	}
 	return ""

Original file line number	Diff line number	Diff line change
`@@ -268,7 +268,7 @@ func TokenFromCookie(r *http.Request) string {`
`268`	`268`	`func TokenFromHeader(r *http.Request) string {`
`269`	`269`	`// Get token from authorization header.`
`270`	`270`	`bearer := r.Header.Get("Authorization")`
`271`		`- if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {`
	`271`	`+ if len(bearer) > 7 && strings.EqualFold(bearer[0:7], "Bearer ") {`
`272`	`272`	`return bearer[7:]`
`273`	`273`	`}`
`274`	`274`	`return ""`