From 264e6f4393f7aeb7545327a74bedff2f656432a3 Mon Sep 17 00:00:00 2001
From: Asa Zernik <asa.zernik@gmail.com>
Date: Tue, 5 May 2020 18:20:16 -0700
Subject: [PATCH] Parse OAS3 HTTP-Auth schemes case-insensitively

According to the authors of the OAI spec [1] schemes are
case-insensitive. Even if they were not, the current checks against
lowercase versions of scheme names do not match the IANA registry's
canonical versions [2] which are "Basic" and "Bearer".

[1] https://github.com/OAI/OpenAPI-Specification/pull/1880#issuecomment-584730191
[2] https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#table-authschemes
---
 src/execute/oas3/build-request.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/execute/oas3/build-request.js b/src/execute/oas3/build-request.js
index b5b0b48de..4ee2de2a9 100644
--- a/src/execute/oas3/build-request.js
+++ b/src/execute/oas3/build-request.js
@@ -147,14 +147,15 @@ export function applySecurities({request, securities = {}, operation = {}, spec}
           }
         }
         else if (type === 'http') {
-          if (schema.scheme === 'basic') {
+          const scheme = schema.scheme && schema.scheme.toLowerCase()
+          if (scheme === 'basic') {
             const username = value.username || ''
             const password = value.password || ''
             const encoded = btoa(`${username}:${password}`)
             result.headers.Authorization = `Basic ${encoded}`
           }
 
-          if (schema.scheme === 'bearer') {
+          if (scheme === 'bearer') {
             result.headers.Authorization = `Bearer ${value}`
           }
         }