folded-ear · barneyb · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026
diff --git a/src/main/java/com/brennaswitzer/cookbook/security/HeaderTokenAuthenticationFilter.java b/src/main/java/com/brennaswitzer/cookbook/security/HeaderTokenAuthenticationFilter.java
@@ -7,11 +7,17 @@
 public class HeaderTokenAuthenticationFilter extends AbstractTokenAuthenticationFilter {
 
     private static final String BEARER_AUTHENTICATION_PREFIX = "Bearer ";
+    private static final int PREFIX_LENGTH = BEARER_AUTHENTICATION_PREFIX.length();
 
     protected String getJwtFromRequest(HttpServletRequest request) {
-        String bearerToken = request.getHeader(HttpHeaders.AUTHORIZATION);
-        if (StringUtils.hasText(bearerToken) && bearerToken.startsWith(BEARER_AUTHENTICATION_PREFIX)) {
-            return bearerToken.substring(BEARER_AUTHENTICATION_PREFIX.length());
+        String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+        if (StringUtils.hasText(authorization)
+            && authorization.length() > PREFIX_LENGTH
+            && authorization.substring(0, PREFIX_LENGTH)
+                    .equalsIgnoreCase(BEARER_AUTHENTICATION_PREFIX)
+        ) {
+            return authorization.substring(PREFIX_LENGTH)
+                    .strip();
         }
         return null;
     }

diff --git a/src/main/java/com/brennaswitzer/cookbook/util/CookieUtils.java b/src/main/java/com/brennaswitzer/cookbook/util/CookieUtils.java
@@ -13,6 +13,8 @@
 public class CookieUtils {
 
     public static Optional<Cookie> getCookie(HttpServletRequest request, String name) {
+        // This method can return null when request.getHeader("cookies") returns
+        // non-null. Not sure what that's about.
         Cookie[] cookies = request.getCookies();
 
         if (cookies != null) {

diff --git a/src/test/java/com/brennaswitzer/cookbook/security/HeaderTokenAuthenticationFilterTest.java b/src/test/java/com/brennaswitzer/cookbook/security/HeaderTokenAuthenticationFilterTest.java
@@ -0,0 +1,51 @@
+package com.brennaswitzer.cookbook.security;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.springframework.http.HttpHeaders;
+
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class HeaderTokenAuthenticationFilterTest {
+
+    @ParameterizedTest
+    @MethodSource
+    void caseInsensitive(String authorization, String token) {
+        HeaderTokenAuthenticationFilter filter = new HeaderTokenAuthenticationFilter();
+        HttpServletRequest req = mock(HttpServletRequest.class);
+        when(req.getHeader(HttpHeaders.AUTHORIZATION))
+                .thenReturn(authorization);
+
+        assertEquals(token,
+                     filter.getJwtFromRequest(req));
+    }
+
+    public static Stream<Arguments> caseInsensitive() {
+        return Stream.of(
+                Arguments.of("",
+                             null),
+                Arguments.of("soManyBears",
+                             null),
+                Arguments.of("Bear cow",
+                             null),
+                Arguments.of("Bearers horse donkey",
+                             null),
+                Arguments.of("BEARER goat",
+                             "goat"),
+                Arguments.of("bearer goat",
+                             "goat"),
+                Arguments.of("Bearer goat",
+                             "goat"),
+                Arguments.of("bEARer rabbit",
+                             "rabbit"),
+                Arguments.of("Bearer   sebastian  ",
+                             "sebastian"));
+    }
+
+}