fix: case-insensitive Bearer token parsing in auth header #25

2026-05-30T12:55:39Z

williams commented

2026-05-30 12:55:39 +00:00

Problem

The MCP auth header regex ^Bearer rejects lowercase bearer tokens. Some HTTP clients send authorization: bearer <token> (lowercase scheme), causing spurious 401s even with a valid token.

Fix

Changed regex from ^Bearer to ^[Bb]earer to accept both Bearer and bearer.

This was tested live on the hertz production server — all four header case combinations (authorization/Authorization × Bearer/bearer) now return HTTP 200.

Closes #21

## Problem The MCP auth header regex `^Bearer` rejects lowercase `bearer` tokens. Some HTTP clients send `authorization: bearer <token>` (lowercase scheme), causing spurious 401s even with a valid token. ## Fix Changed regex from `^Bearer` to `^[Bb]earer` to accept both `Bearer` and `bearer`. This was tested live on the hertz production server — all four header case combinations (`authorization`/`Authorization` × `Bearer`/`bearer`) now return HTTP 200. Closes #21

williams added 1 commit 2026-05-30 12:55:40 +00:00

fix: case-insensitive Bearer token parsing in auth header d2c2962ad1

marfrit merged commit 3dd01e5313 into master

2026-05-30 14:43:38 +00:00

marfrit referenced this issue from a commit

2026-05-30 14:52:38 +00:00

lmcp: bump to 1.2.2 — case-insensitive Bearer auth (marfrit/lmcp#25)

williams referenced this pull request from marfrit/marfrit-packages

2026-05-30 14:52:54 +00:00

lmcp: bump to 1.2.2 — case-insensitive Bearer auth (marfrit/lmcp#25) #109

marfrit referenced this issue from a commit

2026-05-30 14:54:41 +00:00