Description
The Authorization header used incorrect casing for the authentication scheme in multiple locations throughout the codebase:
// Incorrect (used in codebase)
Authorization: 'bearer ' + token
// Correct (per RFC 7235)
Authorization: 'Bearer ' + token
The RFC 7235 specification defines the authentication scheme as case-insensitive in theory, but in practice, some HTTP clients and servers perform case-sensitive matching. The standard convention is Bearer (capital B).
Impact
HIGH — Authentication failures in picky deployments. While most HTTP libraries handle case-insensitive scheme matching, some edge cases (custom proxies, API gateways, certain CDN configurations) may reject requests with lowercase bearer, causing 401 Unauthorized responses.
Location
Multiple files in lib/github.ts and related auth utilities.
Note
This was fixed in PR #6147. This issue exists for tracking and documentation purposes.
Description
The
Authorizationheader used incorrect casing for the authentication scheme in multiple locations throughout the codebase:The RFC 7235 specification defines the authentication scheme as case-insensitive in theory, but in practice, some HTTP clients and servers perform case-sensitive matching. The standard convention is
Bearer(capital B).Impact
HIGH — Authentication failures in picky deployments. While most HTTP libraries handle case-insensitive scheme matching, some edge cases (custom proxies, API gateways, certain CDN configurations) may reject requests with lowercase
bearer, causing 401 Unauthorized responses.Location
Multiple files in
lib/github.tsand related auth utilities.Note
This was fixed in PR #6147. This issue exists for tracking and documentation purposes.