net/http: Basic Auth header should not be case sensitive

[Sigafoos]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.8

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

amd64 linux

What did you do?

Although RFC 2617 section 2 seems to specify that a basic auth header should be in the format "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==", with the first letter of "basic" capitalized, this is not explicitly stated.

parseBasicAuth() requires "Basic". While this may be correct, many clients send "BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==". This was changed in Rails in 2015, for instance.

That issue incorrectly uses RFC 2617 section 1 as justification, but as section 2 does not explicitly require Basic this seems like something that should be changed in order to offer the broadest compatibility with clients.

Playground example

What did you expect to see?

With BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==, r.BasicAuth() returns "Aladdin", "open sesame", true

What did you see instead?

With BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==, r.BasicAuth() returns "", "", false

[bradfitz]

/cc @tombergan

[flowerysong]

You state that rails/rails#21199 "incorrectly uses RFC 2617 section 1 as justification"; I would argue that the justification is entirely correct. RFC 2617 describes the framework of an authentication method and two specific schemes that use the framework . Since the framework definition in section 1.2 says it "uses an extensible, case-insensitive token to identify the authentication scheme", an individual scheme cannot change this and treat the token as case sensitive, nor does each defined scheme need to specify that the token is case insensitive.

[gopherbot]

Change https://golang.org/cl/111516 mentions this issue: net/http: ignore case of basic auth scheme in Request.BasicAuth