fix: require bearer scheme for JWT auth

[pm-ju]

/kind bug

Require the Authorization header to use the Bearer scheme before extracting a JWT token.

Previously, an Authorization header without the Bearer prefix was treated as the token value. That allowed malformed schemes such as raw tokens or Basic ... values to reach JWT parsing instead of being rejected as an invalid auth header.

This change:

• Returns an empty token unless the header has exactly a Bearer scheme and token.
• Accepts the Bearer scheme case-insensitively.
• Handles extra whitespace around the scheme/token.
• Adds focused unit coverage for invalid schemes and malformed token values.

Verification:
go test ./pkg/kthena-router/filters/auth

[Copilot]

Pull request overview

This PR tightens JWT extraction in the Kthena router auth filter by requiring the HTTP Authorization header to use the Bearer scheme before treating the value as a JWT, preventing malformed/incorrect schemes from reaching JWT parsing.

Changes:

• Update extractTokenFromHeader to only accept Authorization: Bearer <token> (case-insensitive), tolerating extra whitespace and rejecting all other formats.
• Adjust existing unit expectation to reject raw tokens without a Bearer scheme.
• Add unit tests covering lowercase schemes, extra whitespace, embedded whitespace, and invalid schemes reaching the middleware.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
pkg/kthena-router/filters/auth/authentication.go	Makes token extraction strict to the Bearer scheme (case-insensitive) and rejects malformed headers early.
pkg/kthena-router/filters/auth/authentication_test.go	Updates/extends tests to verify strict Bearer parsing and middleware rejection for invalid schemes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gemini-code-assist]

Code Review

This pull request improves the robustness of JWT token extraction by replacing simple prefix trimming with a more flexible approach using strings.Fields, which correctly handles case-insensitive schemes and extra whitespace. Corresponding test cases were added to verify these scenarios and ensure invalid authorization schemes are rejected. The reviewer suggested adding a defensive nil check for the http.Request parameter in extractTokenFromHeader to prevent potential panics in future usage contexts.

[gemini-code-assist]

The function extractTokenFromHeader does not check if the req parameter is nil. While it is currently called with c.Request from a Gin middleware (which is typically non-nil), adding a defensive check would prevent potential panics if this helper is used in other contexts or if the request is not properly initialized.

Suggested change

	func extractTokenFromHeader(req *http.Request) string {
	value := req.Header.Get(header)
	return strings.TrimPrefix(value, prefix)
	fields := strings.Fields(req.Header.Get(header))
	func extractTokenFromHeader(req *http.Request) string {
	if req == nil {
	return ""
	}
	fields := strings.Fields(req.Header.Get(header))

[hzxuzhonghu]

nice fix — strings.TrimPrefix silently passed through any token without a Bearer prefix, which was a real security hole. Using strings.Fields + EqualFold is cleaner and handles extra whitespace as a bonus. The case-insensitive check aligns with RFC 7235 too.

[hzxuzhonghu]

/lgtm

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/OWNERS [hzxuzhonghu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment