From e79db4b0d2744c1c5fc96cf8f43dc509b2f5e1a6 Mon Sep 17 00:00:00 2001
From: Pavan Kumar <pavanputhra@gmail.com>
Date: Mon, 9 Mar 2026 12:58:42 +0530
Subject: [PATCH] Fix Bearer token extraction on headers with leading
 whitespace

Trim the Authorization header before slicing to extract the token,
so headers like " Bearer token" are parsed correctly instead of
producing a corrupted token value.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/api/auth.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/api/auth.ts b/src/api/auth.ts
index a7b4ac7..1a33ab6 100644
--- a/src/api/auth.ts
+++ b/src/api/auth.ts
@@ -48,8 +48,9 @@ function getHeader(req: IncomingMessage, name: string): string | undefined {
  */
 export function getTokenFromRequest(req: IncomingMessage, headerName: string): string | undefined {
   const authHeader = getHeader(req, 'authorization');
-  if (authHeader?.trim().toLowerCase().startsWith('bearer ')) {
-    return authHeader.slice(7).trim() || undefined;
+  const trimmedAuthHeader = authHeader?.trim();
+  if (trimmedAuthHeader?.toLowerCase().startsWith('bearer ')) {
+    return trimmedAuthHeader.slice(7).trim() || undefined;
   }
   const value = getHeader(req, headerName);
   return value?.trim() || undefined;
@@ -152,8 +153,9 @@ export function createAuthMiddleware(config?: Partial<AuthConfig>) {
 
     // Get API key: support Authorization: Bearer <token> (MockMCP-style) and configured header
     const authHeader = ctx.get('authorization');
-    const apiKey = authHeader?.trim().toLowerCase().startsWith('bearer ')
-      ? authHeader.slice(7).trim()
+    const trimmedAuthHeader = authHeader?.trim();
+    const apiKey = trimmedAuthHeader?.toLowerCase().startsWith('bearer ')
+      ? trimmedAuthHeader.slice(7).trim()
       : (ctx.get(authConfig.headerName) || '').trim();
 
     if (!apiKey) {