Hi,
I have found an embedded web server in one of my "IoT" devices, which does not authenticate while using the "request" module inside iobroker.javascript.
The problem is, that request sends the Authorization header field in all lower case letters. I don't know, if it is defined in RFC if the header has to be case-sensitive.
Is it possible to change the auth.js file (and maybe also others) to have the Header fields starting with uppercase letters and continuing with lowercase as
Authorization
for example. There are some other examples for this behaviour like the host header and so on.
| software | version
| ---------------- | -------
| request | 2.79.0
| node | 4.5.0
| npm | 3.10.8
| Operating System | Ubuntu 14.04.5 LTS with kernel 3.16.0-44-generic #59~14.04.1-Ubuntu
Kind regards Uwe
lupo9557
All 3 comments
Per RFC spec HTTP headers are case insensitive. You'll have to set those headers manually with the headers option.
simov
on 24 Mar 2017
A little bit more about this, because it comes up a lot.
@simov is correct, your server is not spec compliant. The HTTP spec makes it very clear that headers must be case insensitive.
In request, we default to lowercase for the headers that request generates but when you set headers manually we preserve the casing of those headers so that you can deal with servers that are not spec compliant.
You'll need to generate the auth headers yourself and set them with the headers or setHeader features in request if you want a specific casing. It's not reasonable for request to shift around its defaults for servers that aren't spec compliant because there's just no way to us to win, there will always be a server that doesn't like a particular default and is not spec compliant.
mikeal
on 24 Mar 2017
Respectfully I think this deserves revisiting. It's true that the RFC specifies case insensitive headers but the reality is that the majority of people don't test against anything but common web browsers. The case handling of http servers is often outside of the control of users of this library.
The majority of browsers use title-cased headers, the most useful thing this library could do would be to emulate the most commonly used strings, e.g. Host: not host:, Cookie: not cookie:. This way it will work everywhere our browsers work. Joining the herd will bring better compatibility (rightly or wrongly) and also has privacy benefits.
Happy to work on a patch if it is likely to be accepted, thoughts? Could be feature flagged to preserve compatibility for people that prefer lowercase.
chillitom
on 16 May 2017
Related issues
IgorDePaula
·
3Comments
chenby
·
3Comments
pixarfilmz112
·
3Comments
ghost
·
3Comments
jsspace
·
3Comments
Most helpful comment
Respectfully I think this deserves revisiting. It's true that the RFC specifies case insensitive headers but the reality is that the majority of people don't test against anything but common web browsers. The case handling of http servers is often outside of the control of users of this library.
The majority of browsers use title-cased headers, the most useful thing this library could do would be to emulate the most commonly used strings, e.g.
Host:nothost:,Cookie:notcookie:. This way it will work everywhere our browsers work. Joining the herd will bring better compatibility (rightly or wrongly) and also has privacy benefits.Happy to work on a patch if it is likely to be accepted, thoughts? Could be feature flagged to preserve compatibility for people that prefer lowercase.