Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server-side header option does not accept capital letters #218

mmwtsn opened this Issue Jun 3, 2016 · 4 comments


None yet
3 participants
Copy link

mmwtsn commented Jun 3, 2016


RESTful authentication fails if the optional header key in the server-side configuration options includes capital letters.


I brought this up in the Slack channel yesterday and @ekryski asked that I open an issue with steps to reproduce the problem. This happens because internally Node's http module lower cases all headers names to normalize their values. If a user attempts to configure their authentication options with a header that includes capital letters lookup inside src/middleware/express.js fails.

For example, this configuration:

// Application setup
.configure(authentication({ header: 'X-Auth-Token' })

Causes the following situation internally wen a POST request is made with a X-Auth-Token header:

// Express middleware
console.log(options.header);              // => 'X-Auth-Token'
console.log(req.headers['x-auth-token']); // => token
console.log(req.headers['X-Auth-Token']); // => undefined

Steps to reproduce

  1. Clone the repository locally and cd into the project root.

  2. Open example/app.js in your text editor.

  3. Add the optional header value with inside example/app.js:

    diff --git a/example/app.js b/example/app.js
    index 444ad12..9c52a6b 100644
    --- a/example/app.js
    +++ b/example/app.js
    @@ -17,7 +17,8 @@ var app = feathers()
    .use(bodyParser.urlencoded({ extended: true }))
    // Configure feathers-authentication
    -    idField: 'id'
    +    idField: 'id',
    +    header: 'X-Auth-Token'
    // Initialize a user service
    .use('/users', memory())
  4. Set up the example server:

    $ npm install
    $ node example/app.js
    Feathers authentication app started on
  5. In a new terminal session, create a new token using the default user:

    $ curl -X POST \
    -H 'Content-Type: application/json' \
    -d '{ "email": "", "password": "admin" }' \
  6. Use the token to view a restricted resource:

    $ curl -X GET \
    -H 'X-Auth-Token:$YOUR_TOKEN_FROM_ABOVE' \

    Despite using the header I configured the app to use this request fails for me.


This comment has been minimized.

Copy link
Contributor Author

mmwtsn commented Jun 3, 2016

This is a little bit confusing right now because:

  • the server-side config uses a lowercase default (authorization)
  • the client-side config uses an uppercase default (Authorization)

As Eric pointed out in Slack the Node default is lowercase header values. I think it makes sense to move forward with and align both the server- and client-side defaults to that standard.

@mmwtsn mmwtsn referenced this issue Jun 3, 2016


Lowercase custom header #219

0 of 2 tasks complete

This comment has been minimized.

Copy link

marshallswain commented Jun 3, 2016

Stellar issue report, BTW. I think it makes sense to lowercase everywhere.


This comment has been minimized.

Copy link
Contributor Author

mmwtsn commented Jun 3, 2016


Do you mind if I push it up to #219 as well?

Here's the diff:

diff --git a/src/client/hooks.js b/src/client/hooks.js
index 35a4551..ab0b7ad 100644
--- a/src/client/hooks.js
+++ b/src/client/hooks.js
@@ -13,7 +13,7 @@ export function populateHeader(options = {}) {
   return function(hook) {
     if (hook.params.token) {
       hook.params.headers = Object.assign({}, {
-        [options.header || 'Authorization']: hook.params.token
+        [options.header || 'authorization']: hook.params.token
       }, hook.params.headers);
diff --git a/test/integration/rest.test.js b/test/integration/rest.test.js
index b59a7f6..2ddd748 100644
--- a/test/integration/rest.test.js
+++ b/test/integration/rest.test.js
@@ -259,7 +259,7 @@ describe('REST authentication', function() {
             method: 'GET',
             json: true,
             headers: {
-              Authorization: validToken
+              authorization: validToken

This comment has been minimized.

Copy link

ekryski commented Jun 4, 2016

@mmwtsn Yeah man! Thanks for the stellar issue!

Yeah I think that's just fine to push it up.

@daffl daffl closed this in #219 Jun 9, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.