Case-insensitive lookup of bearer auth token

Closes gh-1116
spring-projects · Feb 17, 2025 · 6120c31 · 6120c31
1 parent 3360e4a
commit 6120c31
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/...n/java/org/springframework/graphql/server/support/BearerTokenAuthenticationExtractor.java b/...n/java/org/springframework/graphql/server/support/BearerTokenAuthenticationExtractor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 
 import reactor.core.publisher.Mono;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.server.resource.BearerTokenError;
@@ -68,7 +69,7 @@ public BearerTokenAuthenticationExtractor(String authorizationKey) {
 
 	@Override
 	public Mono<Authentication> getAuthentication(Map<String, Object> payload) {
-		String authorizationValue = (String) payload.get(this.authorizationKey);
+		String authorizationValue = getAuthorizationValue(payload);
 		if (authorizationValue == null) {
 			return Mono.empty();
 		}
@@ -88,4 +89,18 @@ public Mono<Authentication> getAuthentication(Map<String, Object> payload) {
 		return Mono.just(new BearerTokenAuthenticationToken(token));
 	}
 
+	@Nullable
+	private String getAuthorizationValue(Map<String, Object> payload) {
+		String value = (String) payload.get(this.authorizationKey);
+		if (value != null) {
+			return value;
+		}
+		for (String key : payload.keySet()) {
+			if (key.equalsIgnoreCase(this.authorizationKey)) {
+				return (String) payload.get(key);
+			}
+		}
+		return null;
+	}
+
 }
diff --git a/...a/org/springframework/graphql/server/support/BearerTokenAuthenticationExtractorTests.java b/...a/org/springframework/graphql/server/support/BearerTokenAuthenticationExtractorTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -46,6 +46,14 @@ void extract() {
 		assertThat(auth.getName()).isEqualTo("123456789");
 	}
 
+	@Test // gh-1116
+	void extractCaseInsensitive() {
+		Authentication auth = getAuthentication(Map.of("authorization", "Bearer 123456789"));
+
+		assertThat(auth).isNotNull();
+		assertThat(auth.getName()).isEqualTo("123456789");
+	}
+
 	@Test
 	void noToken() {
 		Authentication auth = getAuthentication(Collections.emptyMap());