From 438d4138d6128671bc627bbc3fae2d8dd0ce24cb Mon Sep 17 00:00:00 2001
From: TargetLocked <32962687+TargetLocked@users.noreply.github.com>
Date: Sun, 23 Nov 2025 19:34:02 +0800
Subject: [PATCH] fix: compare authentication scheme case-insensitively (#2386)

---
 listener/http/utils.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/listener/http/utils.go b/listener/http/utils.go
index e0793ff3..eb19283d 100644
--- a/listener/http/utils.go
+++ b/listener/http/utils.go
@@ -63,7 +63,11 @@ func removeExtraHTTPHostPort(req *http.Request) {
 // parseBasicProxyAuthorization parse header Proxy-Authorization and return base64-encoded credential
 func parseBasicProxyAuthorization(request *http.Request) string {
 	value := request.Header.Get("Proxy-Authorization")
-	if !strings.HasPrefix(value, "Basic ") {
+	const prefix = "Basic "
+	// According to RFC7617, the scheme should be case-insensitive.
+	// In practice, some implementations do use different case styles, causing authentication to fail
+	// eg: https://github.com/algesten/ureq/blob/381fd42cfcb80a5eb709d64860aa0ae726f17b8e/src/unversioned/transport/connect.rs#L118
+	if len(value) < len(prefix) || !strings.EqualFold(value[:len(prefix)], prefix) {
 		return ""
 	}