Bug 2420632

Summary: mod_auth_token does not work properly with ProxyPass and RewriteRule directives
Product: [Fedora] Fedora EPEL Reporter: Leo <neleo>
Component: mod_auth_tokenAssignee: Björn Esser (besser82) <besser82>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel9CC: besser82
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to correct the module order none

Description Leo 2025-12-09 15:38:10 UTC 
Created attachment 2118155 [details]
patch to correct the module order

Description of problem:
mod_auth_token fails to work properly with ProxyPass and RewriteRule directives. The issue is, that mod_auth_token currently asks to be slotted before mod_alias, 
but not before other modules. If you for example use a RewriteRule on the same path, it will be applied before mod_auth_token comes into play.

Version-Release number of selected component (if applicable):
1.0.5-27.el9

How reproducible:
always

Steps to Reproduce:
1. Here are 2 configuration snippets that currently fail to work with 
mod_auth_token:

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    ProxyPass              http://127.0.0.1:8000/
</Location>

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    RewriteRule            ^(.*)$ http://127.0.0.1:8000/$1 [P,F]
</Location>

Actual results:
The whole path (including the token and the timestamp hash part) is being forwarded

Expected results:
Only the "real" path is being forwarded (i.e. mod_auth_token does its job beforehand)

Additional info:
This is a known problem and an open issue at GitHub for more than 10 years: 
https://github.com/rolero/mod-auth-token/issues/16
There is also a fix provided by the original reporter. I will add the patch file for the module itself as an attachment.

The SPEC file can be patched as follows:

--- mod_auth_token.spec_orig    2025-12-09 16:26:02.220800790 +0100
+++ mod_auth_token.spec 2025-12-09 16:26:44.778609575 +0100
@@ -1,6 +1,6 @@
 Name:           mod_auth_token
 Version:        1.0.5
-Release:        27%{?dist}
+Release:        28%{?dist}
 Summary:        Token based URI access module for Apache
 
 License:        ASL 2.0
@@ -11,6 +11,7 @@
 Patch1:         mod_auth_token-1.0.5-fix-Wformat.patch
 Patch2:         mod_auth_token-1.0.5-apache24.patch
 Patch3:         mod_auth_token-1.0.5-add_ip_limitation_config.patch
+Patch4:         mod_auth_token-1.0.5-correct-module-order.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake


Would be great if you could apply the patch and build a new release.
Thanks!
Comment 1 Leo 2026-03-03 11:16:30 UTC 
Hi,

is there any chance to get the patch applied? Would be good to have a working release of mod_auth_token again.
I think all necessary information is already provided in the initial request, but if something is missing, please let me know.
Thanks!

Kind regards,
Leo