From f92889b3600c37ae0a45649fc75c7eafc8d370f5 Mon Sep 17 00:00:00 2001
From: Tristan Toye <tristan@careerjsm.com>
Date: Sun, 7 Jun 2020 12:11:30 -0400
Subject: [PATCH] Clarify Calling HTTP_APIKey header in example (#488)

* Clarify Calling HTTP_ header in example

In trying to track down a bug here turns out I was trying to reference the wrong header shown in the readme.

Printing our `request.env` it becomes clear this is just the full request object:

```
{"rack.version"=>[1, 3],
 "rack.errors"=>#<IO:<STDERR>>,
 "rack.multithread"=>true,
 "rack.multiprocess"=>false,
 "rack.run_once"=>false,
 "SCRIPT_NAME"=>"",
 "QUERY_STRING"=>"",
 "SERVER_PROTOCOL"=>"HTTP/1.1",
 "SERVER_SOFTWARE"=>"puma 4.3.5 Mysterious Traveller",
 "GATEWAY_INTERFACE"=>"CGI/1.2",
 "REQUEST_METHOD"=>"POST",
 "REQUEST_PATH"=>"/api/v1/....",
 "REQUEST_URI"=>"/api/v1/...",
 "HTTP_VERSION"=>"HTTP/1.1",
 "HTTP_HOST"=>"example.com",
 "HTTP_APIKEY"=>"secret_key",
 "CONTENT_TYPE"=>"application/json",
 "HTTP_USER_AGENT"=>"PostmanRuntime/7.25.0",
 "HTTP_ACCEPT"=>"*/*",
 "HTTP_CACHE_CONTROL"=>"no-cache",
...
```

* Update README.md
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 86d1fad..f08c44c 100644
--- a/README.md
+++ b/README.md
@@ -135,7 +135,7 @@ E.g.
 # Provided that trusted users use an HTTP request header named APIKey
 Rack::Attack.safelist("mark any authenticated access safe") do |request|
   # Requests are allowed if the return value is truthy
-  request.env["APIKey"] == "secret-string"
+  request.env["HTTP_APIKEY"] == "secret-string"
 end
 
 # Always allow requests from localhost