Preflight OPTIONS method fails in Edge browser when capitalized "Authorization" header is used

[gnoph]

Our client code makes a GET request with capitalized "Authorization" header. When Chrome and Firefox make preflight OPTIONS call, it generates a Access-Control-Request-Headers header with lower case "authorization", which seems to work fine with express-jwt. However when Edge is used, it generates OPTIONS call by keeping the original "Authorization" spelling, which is incompatible with current express-jwt implementation. Following library code expects an all-lower-case "authorization" in a case-sensitive way.

    if (req.method === 'OPTIONS' && req.headers.hasOwnProperty('access-control-request-headers')) {
      var hasAuthInAccessControl = !!~req.headers['access-control-request-headers']
                                    .split(',').map(function (header) {
                                      return header.trim();
                                    }).indexOf('authorization');

      if (hasAuthInAccessControl) {
        return next();
      }
    }

W3C clearly specifies that HTTP header names are case-insensitive. I couldn't find a clarification regarding how this rule is applied to access-control-request-headers. I think, based on the essence of the original rule, header tokens listed in access-control-request-headers should be case-insensitive too. I suggest to convert the list of tokens to lowercase by changing the map lambda function to

return header.trim().toLowerCase();

[Sadi-1992]

thanks a lot for your ticket... i've ran into this issue and tried to fix it for hours. Now i've changed "Authorization" into "authorization" and its fixed. :) Saved my day!