Joomla! Issue Tracker | Joomla! CMS #30871 - Auth headers in Joomla 4 API should maybe be case insensitive

Closed
2 Oct 2020
Medium
Build: staging
# 30871

AndyGaskell
2 Oct 2020

I'd be happy for this to be rejected, but it seemed perhaps worth a quick discussion. I can code up a fix if people agree it's an issue.

I think auth headers in Joomla 4 API should maybe be case insensitive. I know header case has been a long standing subject of discussion in the web generally, so sorry if this has previously been discussed and decided on.

In the IETF standsrds docs at https://tools.ietf.org/html/rfc2616#section-4.2 it states that "Field names are case-insensitive."

The effects Joomla 4's API with regard to authorisation and the bearer token.

Steps to reproduce the issue

Set up a test site at http://localhost/joomla/joomla_4_beta_4
Get a Joomla API Token, from, for example https://localhost/joomla/joomla_4_beta_4/administrator/index.php?option=com_users&view=users
Make a cURL request like...
curl --location --request GET 'http://localhost/joomla/joomla_4_beta_4/api/index.php/v1/content/article' --header 'authorization: bearer MY_API_TOKEN_HERE'
Note that authorization and bearer are in lowercase.

Expected result

Valid json article data, as per a cURL call with Authorization and Bearer are in uppercase.

So, the call...
curl --location --request GET 'http://localhost/joomla/joomla_4_beta_4/api/index.php/v1/content/article' --header 'Authorization: Bearer MY_API_TOKEN_HERE'
...returns valid json article data.

Actual result

Get a 406 response, "Not Acceptable client error" https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/406

System information (as much as possible)

mysql: 8.0.21-0ubuntu0.20.04.4
PHP: 7.4.3
Apache/2.4.41 (Ubuntu)
apache2handler
Joomla! 4.0.0-beta4 Beta [ Mañana ] 15-September-2020 13:46 GMT
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
systeminfo-2020-10-02T14 58 35+01 00.txt