fix: header parameter lookup should be case-insensitive

[jarvis9443]

Problem

Header validation fails when the OpenAPI spec defines lowercase header names (e.g. x-client-id) but HTTP/1.1 clients send canonical case (e.g. X-Client-Id). The existing fallback raw_values[str_lower(name)] only lowercases the spec name — a no-op when it's already lowercase.

Fix

Normalize header table keys to lowercase before passing to validate_param_group. This makes the existing str_lower(name) fallback work correctly for all case combinations.

Tests

Added unit tests covering:

• Spec lowercase + request canonical case (x-client-id vs X-Client-Id)
• Spec lowercase + request uppercase (x-client-id vs X-CLIENT-ID)
• Spec mixed case + request lowercase (Authorization vs authorization)
• Missing required header still correctly rejected

Summary by CodeRabbit

• Bug Fixes

  • Header parameter validation is now case-insensitive, so requests with headers in canonical, uppercase, or mixed-case formats are correctly matched and validated against API specs.

• Tests

  • Added conformance and unit tests to verify case-insensitive header matching for common headers (e.g., Authorization, Content-Type).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a95bde2-aa21-481b-84a4-92e4412429e5

📥 Commits

Reviewing files that changed from the base of the PR and between ac637ca and 41a7c3a.

📒 Files selected for processing (1)

• t/conformance/test_validate_header.lua

🚧 Files skipped from review as they are similar to previous changes (1)

• t/conformance/test_validate_header.lua

---

📝 Walkthrough

Walkthrough

This PR normalizes incoming request header keys to lowercase before header parameter validation and adds unit and conformance tests verifying case-insensitive header name matching across canonical, uppercase, and mixed-case header variants.

Changes

Case-Insensitive Header Validation

Layer / File(s)	Summary
Core Implementation lib/resty/openapi_validator/params.lua	Header validation builds a normalized lower_headers table from incoming request headers and validates header parameters against this map instead of the original header table.
Unit Tests t/unit/test_params.lua	Three tests assert params_mod.validate performs case-insensitive header matching for canonical (X-Client-Id), uppercase (X-CLIENT-ID), and mixed-case (authorization) incoming header keys.
Conformance Tests t/conformance/test_validate_header.lua	Two conformance tests assert validator:validate_request succeeds with case-insensitive header matching for Authorization and Content-Type using canonical and uppercase header keys; an existing skip-header test comment was renumbered.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• api7/lua-resty-openapi-validator#1: Adds conformance tests and header parameter specs that establish baseline header validation behavior.

Suggested reviewers

• nic-6443

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: header parameter lookup should be case-insensitive' directly and clearly describes the main change in the PR—making header parameter validation case-insensitive across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	Good E2E and unit test coverage. Conformance tests validate header case-insensitivity across three casings. Implementation is correct, error handling proper, no race conditions.
Security Check	✅ Passed	Security audit complete. No vulnerabilities found across all 7 categories. Header normalization creates new table (safe). Never exposes header values in errors.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/header-case-insensitive

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Fixes header parameter validation to be case-insensitive by normalizing incoming request header table keys to lowercase before parameter lookup/validation, aligning behavior with HTTP header case-insensitivity and OpenAPI expectations.

Changes:

• Lowercase all request header keys inside params.validate() before validating header parameters.
• Add unit tests covering spec/request header name casing combinations for header params.
• Add conformance tests asserting canonical/uppercase header keys pass validation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
lib/resty/openapi_validator/params.lua	Normalizes request header keys to lowercase before header parameter validation.
t/unit/test_params.lua	Adds unit tests for case-insensitive header parameter matching across casing variants.
t/conformance/test_validate_header.lua	Adds conformance coverage for canonical/uppercase request header keys.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.