Fix bug where callable function skipped unrecognized auth headers (#1181)

We have a weird edge case where an authorization in form we don't recognize will completely skip the auth check.

The fix here applies 2 changes:

1) We allow 'Bearer <TOKEN>' format to be case insensitive. 'bearer <TOKEN>' also works.

2) We reject other authorization header. e.g. 'Beaver <token>' is rejected.

Author: taeold