fix(auth): ensure case-insensitivity on reading remote auth headers

[astappiev]

Description

Ensures that Remote Auth headers read case-insensetive.

Linked Issue: Fixes #388

Summary by CodeRabbit

• Bug Fixes
  • Enhanced remote authentication header processing for improved reliability and consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9a65ee96-e382-4fa2-958b-3c320976013c

📥 Commits

Reviewing files that changed from the base of the PR and between 4e9cf79 and 739d61f.

📒 Files selected for processing (1)

• booklore-api/src/main/java/org/booklore/controller/AuthenticationController.java

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Agent
• GitHub Check: Test Suite / Frontend Tests
• GitHub Check: Test Suite / Backend Tests
• GitHub Check: Analyze (java-kotlin)

🧰 Additional context used

📓 Path-based instructions (1)

booklore-api/src/**/*.java

📄 CodeRabbit inference engine (AGENTS.md)

booklore-api/src/**/*.java: Use 4-space indentation in Java files and match surrounding Java style
Prefer constructor injection via Lombok patterns already used in the codebase. Do not introduce @Autowired field injection
Use MapStruct for entity/DTO mapping

Files:

• booklore-api/src/main/java/org/booklore/controller/AuthenticationController.java

🧠 Learnings (2)

📚 Learning: 2026-03-25T21:02:57.527Z

Learnt from: imnotjames
Repo: grimmory-tools/grimmory PR: 195
File: booklore-api/src/main/java/org/booklore/config/logging/RequestLoggingFilterConfig.java:15-19
Timestamp: 2026-03-25T21:02:57.527Z
Learning: In `booklore-api/src/main/java/org/booklore/config/logging/RequestLoggingFilterConfig.java` and `booklore-api/src/main/java/org/booklore/config/logging/filter/RequestLoggingFilter.java`, logging all request headers and payloads at DEBUG level is intentional and accepted behavior in this project. The previous `LoggingFilter` also logged all headers. No header redaction or payload scrubbing is required — the DEBUG log level is considered sufficient access control. The new filter is not profile-gated (unlike the old `Profile("dev")` filter) but relies on `logger.isDebugEnabled()` for gating.

Applied to files:

• booklore-api/src/main/java/org/booklore/controller/AuthenticationController.java

📚 Learning: 2026-03-25T19:09:09.638Z

Learnt from: imnotjames
Repo: grimmory-tools/grimmory PR: 189
File: booklore-api/src/main/java/org/booklore/service/kobo/KoboLibrarySyncService.java:113-116
Timestamp: 2026-03-25T19:09:09.638Z
Learning: In `booklore-api/src/main/java/org/booklore/service/kobo/KoboLibrarySyncService.java`, when deciding whether to forward the `Authorization` header to the upstream Kobo server proxy on the `/v1/library/sync` endpoint, a simple null check (`request.getHeader(HttpHeaders.AUTHORIZATION) != null`) is the correct guard. The header is either absent or present — if present it may or may not be a valid token, but validity is determined by the upstream Kobo server, not by Grimmory. Blank/whitespace intermediate states do not occur in practice, and pre-validating the token value before forwarding is not the responsibility of this service.

Applied to files:

• booklore-api/src/main/java/org/booklore/controller/AuthenticationController.java

🔇 Additional comments (2)

booklore-api/src/main/java/org/booklore/controller/AuthenticationController.java (2)

76-76: Good fix: Using HttpHeaders enables case-insensitive header access.

Spring's HttpHeaders is backed by a LinkedCaseInsensitiveMap, so lookups via getFirst() correctly match headers regardless of capitalization (e.g., Remote-User, remote-user, REMOTE-USER). This directly addresses the issue where proxies send differently-cased headers.

---

81-84: Remove suggestion to use headers.get(); the design expects groups as a single delimited value.

The groups header is designed to arrive as a single value with groups separated by a configurable delimiter (default: whitespace). The UserProvisioningService parses this single string using groupsDelimiter to extract individual groups. Using headers.get() would return a List<String> with no joining logic downstream, which would break the current design.

The Caddy documentation and configuration examples confirm that proxies send groups as one header with delimited values, not as multiple headers. The use of getFirst() is correct.

			> Likely an incorrect or invalid review comment.

---

📝 Walkthrough

Walkthrough

Updated the remote authentication endpoint in AuthenticationController to use Spring's HttpHeaders API instead of a plain map for header retrieval. The change replaces direct map lookups with case-insensitive getFirst() calls to properly extract authentication headers regardless of their capitalization in incoming requests.

Changes

Cohort / File(s)	Summary
Remote Authentication Header Handling booklore-api/src/main/java/org/booklore/controller/AuthenticationController.java	Updated loginRemote() method parameter from Map<String, String> to Spring's HttpHeaders type. Replaced headers.get(...) calls with headers.getFirst(...) to leverage built-in case-insensitive header lookup and removed redundant toLowerCase(Locale.ROOT) normalization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

backend, enhancement

Poem

🐰 A header walked in, but cases didn't align,
So maps were replaced with Spring's design,
Now HttpHeaders handles names with grace,
Case-insensitive lookups find their place!
Remote auth hops forward, at last!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows conventional commit format with scope and descriptive message aligned to the code changes.
Description check	✅ Passed	The PR description includes the required sections but has a minor typo and lacks detailed explanation of changes.
Linked Issues check	✅ Passed	The code changes address the core issue by replacing direct header lookups with HttpHeaders API that properly handles case-insensitivity.
Out of Scope Changes check	✅ Passed	All changes are scoped to the authentication header handling and directly address the reported case-sensitivity issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes Remote Auth header parsing by switching to a case-insensitive header lookup mechanism, addressing login failures when proxies normalize header casing (Fixes #388).

Changes:

• Replace @RequestHeader Map<String, String> with Spring HttpHeaders to rely on case-insensitive header keys.
• Remove manual toLowerCase(Locale.ROOT) normalization when reading configured Remote Auth headers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.