Good morning, I have a question about a behaviour in the security framework. I did not find so intuitive. We are working with

BearerAuthSecurity

. I have 2 example implementations:

class Lookup(lookup: (String) -> String?) : Security by BearerAuthSecurity({ lookup(it) != null }), TokenSecurity
class WithKey(lookup: (String) -> String?) :
    Security by BearerAuthSecurity(key = Header.required("Authorization"), lookup = { lookup(it) }), TokenSecurity

Then if I do:

val http1: HttpHandler = newBackend(tokenSecurity = WithKey { "hello" })
val http2: HttpHandler = newBackend(tokenSecurity = Lookup { "hello" })

Request(GET, "/hello").header("Authorization", "Bearer 123").use(http1)
Request(GET, "/hello").header("Authorization", "Bearer 123").use(http2)

The backend which uses security in with only

lookup

receives the bearer header, but the in the call to the 2nd backend (with the required header)

Authorization

headers is overriden and I get

Authorization hello

instead of

Authorization Bearer 123

For me it is unintuitive because we are using the same

BearerAuthSecurity

but depending on which parameter we pass, the request that arrives to our system comes already modified. Is this how this should behave? If so, what is the rational behind it? cc: @Michal Wachowski

There's a bunch of missing code here so it's hard to see the exact behaviour.

This is the test in which I am doing this: https://github.com/almeydajuan/monorepo-poc/blob/dacfb43e4253772869b21307c0d0d62b7[…]ctactoe4k/src/test/kotlin/com/juanalmeyda/webapp/BackendTest.kt I basically, created an http4k project following this guide and use this base project to test things before using them at work. Basically this test, is starting the backend with this security configuration that modifies the request headers. Let me know if something is not clear..

@dave gist as requested https://gist.github.com/potfur/87e9257e000e3c034df1bc91dc415091