Skip to content

Fix Bearer token extraction on headers with leading whitespace#37

Merged
pavanputhra merged 1 commit intomainfrom
fix/bearer-token-slice-offset
Mar 9, 2026
Merged

Fix Bearer token extraction on headers with leading whitespace#37
pavanputhra merged 1 commit intomainfrom
fix/bearer-token-slice-offset

Conversation

@pavanputhra
Copy link
Copy Markdown
Contributor

@pavanputhra pavanputhra commented Mar 9, 2026

Summary

  • Fixes bug identified in PR Implement API key authentication for REST and MCP HTTP endpoints #31 review: authHeader.slice(7) was applied to the original untrimmed string while the startsWith('bearer ') check used .trim(), causing corrupted token extraction if the Authorization header had leading whitespace
  • Applied the same fix to both locations: getTokenFromRequest (HTTP) and the Koa middleware

Test plan

  • Verify that Authorization: Bearer <token> (normal) still works
  • Verify that Authorization: Bearer <token> (leading whitespace) now extracts the correct token
  • Check both REST and MCP HTTP endpoints authenticate correctly

🤖 Generated with Claude Code

@pavanputhra @claude
Fix Bearer token extraction on headers with leading whitespace
e79db4b 
Trim the Authorization header before slicing to extract the token,
so headers like " Bearer token" are parsed correctly instead of
producing a corrupted token value.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pavanputhra pavanputhra merged commit 9182c9c into main Mar 9, 2026
3 checks passed
@pavanputhra pavanputhra deleted the fix/bearer-token-slice-offset branch March 9, 2026 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pavanputhra