Bearer token scenario not working

[dlineg4]

What are the steps to reproduce this issue?

1. In cbsecurity configuration do not specify a 'customAuthHeader' in cbsecurity -> jwt settings
2. Make a request to a resthandler using a standard 'Authorization' header with a value of 'Bearer [token]'

What happens?

The Bearer token is not found because the code in 'JWTService.discoverToken()' that attempts to use the 'customAuthHeader' returns a null value and a subsequent check to see if the token has a length fails silently.

The current code is this:

string function discoverToken(){
	var event = variables.requestService.getContext();

	// Discover api token from headers using a custom header or the incoming RC
	var jwtToken = event.getHTTPHeader(
		header       = variables.settings.jwt.customAuthHeader,
		defaultValue = event.getValue( name = variables.settings.jwt.customAuthHeader, defaultValue = "" )
	);

	// If we found it, return it, else try other headers
	if ( jwtToken.len() ) {
		return jwtToken;
	}

	// Authorization Header
	return event
		.getHTTPHeader( header = "Authorization", defaultValue = "" )
		.replaceNoCase( "Bearer", "" )
		.trim();
}

This section:

if ( jwtToken.len() ) {
	return jwtToken;
}

Should be this or something like it:

if (IsNull(jwtToken) == false && jwtToken.len() ) {
	return jwtToken;
}

…

What were you expecting to happen?

If no 'customAuthHeader' is specified in jwt settings, the discoverToken method is supposed to use the standard Authorization/Bearer token construct.

There really needs to be a NULL check or a check to see if 'customAuthHeader' is even specified.

…

Any logs, error output, etc?

…

Any other comments?

The documentation states that 'by default it uses the authorization bearer header', but there doesn't appear to be a test for this.
…

What versions are you using?

Operating System: Windows
Package Version: Lucee 5.4